800533 – Need 10-year certs on AMIs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 800533 - Need 10-year certs on AMIs

Summary: Need 10-year certs on AMIs

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	releng
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jay Greguske
QA Contact:	mkovacik
Docs Contact:
URL:
Whiteboard:
Depends On:	800532
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-06 16:40 UTC by Jay Greguske
Modified:	2013-02-05 14:01 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	800532
Environment:
Last Closed:	2013-01-30 16:25:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jay Greguske 2012-03-06 16:40:10 UTC

+++ This bug was initially created as a clone of Bug #800532 +++

The current certificates on RHEL AMIs expire early since they were generated when the life of RHEL was 7 years. Newer AMIs should have certs that expire after 10 years from the major release.

Comment 2 Suzanne Logcher 2012-05-18 20:52:32 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 4 mkovacik 2012-05-22 10:05:30 UTC

Checking ami-48bc1b21 (us-east-1), following cert dates can be obtained. The result however is neither beta (6.3) nor release (6.2??) rhui configuration rpms contain certificates valid for 10 years. See the screenlog below.

## 
[root@domU-12-31-39-0F-C8-89 ~]# ls /etc/yum.repos.d/
redhat-rhui-beta.repo  redhat-rhui-client-config-beta.repo  redhat-rhui-client-config.repo  redhat-rhui.repo  rhel-source.repo  rhui-load-balancers.conf
[root@domU-12-31-39-0F-C8-89 ~]# rpm -qf /etc/yum.repos.d/redhat-rhui-client-config-beta.repo
rh-amazon-rhui-client-beta-2.2.49-1.el6_2.noarch
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt' 
/etc/pki/entitlement/product/content-rhel6-beta.crt
/etc/pki/entitlement/product/rhui-client-config-server-6-beta.crt
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}                                                                                                                                         
notBefore=Mar 29 18:34:17 2012 GMT
notAfter=Nov 30 18:34:17 2020 GMT
notBefore=Mar 29 18:38:42 2012 GMT
notAfter=Nov 30 18:38:42 2020 GMT

[root@domU-12-31-39-0F-C8-89 ~]# rpm -qf /etc/yum.repos.d/redhat-rhui-client-config.repo 
rh-amazon-rhui-client-2.2.49-1.el6_2.noarch
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client | grep '\.crt' 
/etc/pki/entitlement/ca.crt
/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/pki/entitlement/product/content-rhel6.crt
/etc/pki/entitlement/product/rhui-client-config-server-6.crt
[root@domU-12-31-39-0F-C8-89 ~]# rpm -ql rh-amazon-rhui-client | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Aug 23 19:46:02 2011 GMT
notAfter=Nov 30 19:46:02 2017 GMT
notBefore=Mar 18 11:24:54 2010 GMT
notAfter=Mar 13 11:24:54 2030 GMT
notBefore=Mar 29 18:31:28 2012 GMT
notAfter=Nov 30 18:31:28 2020 GMT
notBefore=Mar 29 18:38:07 2012 GMT
notAfter=Nov 30 18:38:07 2020 GMT
[root@domU-12-31-39-0F-C8-89 ~]#

Comment 5 mkovacik 2012-05-22 10:15:02 UTC

Adding some configuration rpm info...

##
[root@domU-12-31-39-0F-C8-89 ~]# rpm -qi rh-amazon-rhui-client-beta
Name        : rh-amazon-rhui-client-beta   Relocations: (not relocatable)
Version     : 2.2.49                            Vendor: Red Hat, Inc.
Release     : 1.el6_2                       Build Date: Mon 23 Apr 2012 02:04:49 PM EDT
Install Date: Thu 03 May 2012 01:40:04 PM EDT      Build Host: s390-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: rh-amazon-rhui-client-2.2.49-1.el6_2.src.rpm
Size        : 10984                            License: BSD
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://redhat.com
Summary     : Yum repository and entitlement certificiate configuration for beta content
Description :
Configures yum to use the RHUI repositories for beta content.
You have mail in /var/spool/mail/root
[root@domU-12-31-39-0F-C8-89 ~]# rpm -qi rh-amazon-rhui-client
Name        : rh-amazon-rhui-client        Relocations: (not relocatable)
Version     : 2.2.49                            Vendor: Red Hat, Inc.
Release     : 1.el6_2                       Build Date: Mon 23 Apr 2012 02:04:49 PM EDT
Install Date: Mon 30 Apr 2012 03:57:26 PM EDT      Build Host: s390-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: rh-amazon-rhui-client-2.2.49-1.el6_2.src.rpm
Size        : 41189                            License: BSD
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://redhat.com
Summary     : Yum repository and entitlement certificate configuration
Description :
Configures yum to use the RHUI repositories.

Comment 6 Jay Greguske 2012-05-22 18:20:46 UTC

We were targeting 6.3 to get 10-year certificates available for yum
updates to continue working for all of RHEL 6's newly expanded life.
Unfortunately, it appears the ca.crt is still set for 2017, and changing
out the CA is not a trivial effort; we would need to regenerate all
certificates to make them work.

This is getting punted to 6.4.

Comment 7 Alexander Todorov 2012-05-23 12:21:04 UTC

Can you remove it from advisory then?

Comment 8 Jay Greguske 2012-05-23 12:38:50 UTC

Done

Comment 10 RHEL Program Management 2012-07-10 08:51:59 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 11 RHEL Program Management 2012-07-11 01:47:45 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 12 Dennis Gregorovic 2012-10-26 18:05:05 UTC

Jay, where are we with this?

Comment 13 Jay Greguske 2012-10-26 18:43:48 UTC

Hey James, any progress here? For 6.3 it involved replacing the CA I think which forced us to defer to 6.4. I don't want that to happen again...

Comment 14 Jay Greguske 2012-12-07 19:41:12 UTC

Latest rh-amazon-rhui-client has this, we just need to make sure it lands in the final AMIs.

rh-amazon-rhui-client-2.2.77-1.el6_3

Comment 16 Alexander Todorov 2013-01-15 09:53:02 UTC

Snap #3 contains:

rh-amazon-rhui-client-beta-2.2.77-1.el6_3.noarch
rh-amazon-rhui-client-2.2.77-1.el6_3.noarch


# rpm -ql rh-amazon-rhui-client | grep '\.crt'
/etc/pki/entitlement/ca.crt
/etc/pki/entitlement/cdn.redhat.com-chain.crt
/etc/pki/entitlement/product/content-rhel6.crt
/etc/pki/entitlement/product/rhui-client-config-server-6.crt

# rpm -ql rh-amazon-rhui-client | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Aug 23 19:46:02 2011 GMT
notAfter=Nov 30 19:46:02 2017 GMT
notBefore=Mar 18 11:24:54 2010 GMT
notAfter=Mar 13 11:24:54 2030 GMT
notBefore=Mar 29 18:31:28 2012 GMT
notAfter=Nov 30 18:31:28 2020 GMT
notBefore=Mar 29 18:38:07 2012 GMT
notAfter=Nov 30 18:38:07 2020 GMT


# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt'
/etc/pki/entitlement/product/content-rhel6-beta.crt
/etc/pki/entitlement/product/rhui-client-config-server-6-beta.crt

# rpm -ql rh-amazon-rhui-client-beta | grep '\.crt' | xargs -I {} openssl x509 -noout -dates -in {}
notBefore=Mar 29 18:34:17 2012 GMT
notAfter=Nov 30 18:34:17 2020 GMT
notBefore=Mar 29 18:38:42 2012 GMT
notAfter=Nov 30 18:38:42 2020 GMT


I don't see any difference from comment #4. Moving back to ASSIGNED.

Comment 17 Jay Greguske 2013-01-30 13:42:25 UTC

I'm confused. Adding James.

Comment 18 James Slagle 2013-01-30 13:54:29 UTC

Another bug was opened to update the CA: bugzilla 888456

The client entitlement certificates have the correct expiration date afaict.

Comment 19 James Slagle 2013-01-30 13:56:16 UTC

make that bug 888456

Comment 20 Dennis Gregorovic 2013-01-30 16:25:16 UTC

The dates on the client certs are correct.  closing as NOTABUG

Comment 23 James Slagle 2013-02-05 14:01:56 UTC

see comment 18

Note You need to log in before you can comment on or make changes to this bug.