As discussed previously, candlepin id certs last for 1 year, and are only recreated via manual regeneration from the client side. We should make the certs last longer than 1 year (16?) We should also regenerate the certificate when it is requested if it is going to expire within a certain threshold (90 days?)
Thank you for your bug report. This issue was evaluated for inclusion in the current release of Subscription Asset Manager (SAM). Unfortunately, we are unable to address this request. Because we are in the final stages of development in the current release, only significant, release-blocking issues involving serious regressions and data corruption can be considered. If you believe this issue meets the release blocking criteria as defined and communicated to you by your Red Hat Support representative, please ask your representative to file this issue as a blocker for the current release. Otherwise, ask that it be evaluated for inclusion in the next release of SAM.
This was added in commit 88750675891209f68c7cff24b4aef446017ea824 which was delivered with 0.7.3.
FailedQA : was referring to https://bugzilla.redhat.com/show_bug.cgi?id=834558#c7 for verification # rpm -q subscription-managersubscription-manager-0.99.19-1.el6.x86_64 # curl -k -u admin:admin -stderr /dev/null https://hp-sl4540gen8-01.rhts.eng.bos.redhat.com:8443/candlepin/status | python -msimplejson/tool { "managerCapabilities": [ "cores", "ram", "instance_multiplier", "derived_product", "cert_v3" ], "release": "1", "result": true, "rulesSource": "DEFAULT", "rulesVersion": "4.0", "standalone": true, "timeUTC": "2013-08-13T12:36:09.912+0000", "version": "0.8.19" } Configure client to a candlepin server # subscription-manager config --server.hostname hp-sl4540gen8-01.rhts.eng.bos.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1 Register a client to candlepin server # subscription-manager register --username admin --password admin --org ACME_Corporation --force Insufficient permissions Unable to register
Moving back to NEW to have it worked on.
Moving this back to ON_QA, Tazim can you please look into verifying this again? The fact that you cannot register even before doing anything with dates / certificates is a strong indication something is wrong in your environment. Once you can register normally, then you can proceed with the steps to verify the bug.
FAILED. SAM 1.3 Snap 5: Version Tested: katello-headpin-all-1.4.3-12.el6sam_splice.noarch katello-headpin-1.4.3-12.el6sam_splice.noarch Steps: client# rpm -Uvh http://sam-server/pub/candlepin-cert-consumer-latest.noarch.rpm client# subscription-manager register --org=ACME_Corporation --username=**** --password=**** The system has been registered with id: 3afe75ff-df20-4a48-bcd7-639d80647d6c client# rpm -q subscription-manager subscription-manager-1.1.23-1.el6.x86_64 client# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity Validity Not Before: Sep 10 02:39:41 2013 GMT Not After : Sep 10 02:39:41 2029 GMT server# date 061010112029 client# date 061010112029 client# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity Validity Not Before: Sep 10 03:04:50 2013 GMT Not After : Sep 10 03:04:50 2029 GMT
Missed one step in Comment 7: client# service rhsmcertd restart client# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity Validity Not Before: Sep 10 03:04:50 2013 GMT Not After : Sep 10 03:04:50 2029 GMT
1. I also tried setting the sam server and using the same box as client 2. I tried executing /usr/libexec/rhsmcertd-worker None of these fixed the issue.
Works for me with candlepin from master.
Suresh: Any chance of getting on the box to recreate it.
Verified. Steps: # subscription-manager register Username: $user Password: The system has been registered with id: 1970b479-cdd6-4593-ab5e-3658e4cede2f # openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity Validity Not Before: Sep 13 11:29:04 2013 GMT Not After : Sep 13 11:29:04 2029 GMT # date -s "+15 years +11 months" Mon Aug 13 07:30:17 EDT 2029 # /usr/libexec/rhsmcertd-worker Updating entitlement certificates & repositories server: 4580594865596027231 local: 5290141054483019406 129 updates required done # openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity Validity Not Before: Aug 13 11:30:36 2029 GMT Not After : Aug 13 11:30:36 2045 GMT Version Tested: * candlepin-0.8.25-1.el6sam.noarch * candlepin-cert-consumer-cloud-qe-7.idm.lab.bos.redhat.com-1.0-1.noarch * candlepin-scl-1-5.el6_4.noarch * candlepin-scl-quartz-2.1.5-5.el6_4.noarch * candlepin-scl-rhino-1.7R3-1.el6_4.noarch * candlepin-scl-runtime-1-5.el6_4.noarch * candlepin-selinux-0.8.25-1.el6sam.noarch * candlepin-tomcat6-0.8.25-1.el6sam.noarch * elasticsearch-0.19.9-8.el6sat.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.4.2-2.el6sat.noarch * katello-cli-1.4.3-10.el6sat.noarch * katello-cli-common-1.4.3-10.el6sat.noarch * katello-common-1.4.3-12.el6sam_splice.noarch * katello-configure-1.4.4-4.el6sat.noarch * katello-glue-candlepin-1.4.3-12.el6sam_splice.noarch * katello-glue-elasticsearch-1.4.3-12.el6sam_splice.noarch * katello-headpin-1.4.3-12.el6sam_splice.noarch * katello-headpin-all-1.4.3-12.el6sam_splice.noarch * katello-selinux-1.4.4-2.el6sat.noarch * thumbslug-0.0.34-1.el6sam.noarch * thumbslug-selinux-0.0.34-1.el6sam.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1390.html