Bug 827032 - Support autoregen of identity certificates
Support autoregen of identity certificates
Status: CLOSED ERRATA
Product: Subscription Asset Manager
Classification: Red Hat
Component: candlepin (Show other bugs)
1.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 1.3
Assigned To: Devan Goodwin
sthirugn@redhat.com
: Triaged
Depends On:
Blocks: sam13-tracker 995949
  Show dependency treegraph
 
Reported: 2012-05-31 09:31 EDT by James Bowes
Modified: 2013-10-01 06:47 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 995949 (view as bug list)
Environment:
Last Closed: 2013-10-01 06:47:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Bowes 2012-05-31 09:31:42 EDT
As discussed previously, candlepin id certs last for 1 year, and are only recreated via manual regeneration from the client side.

We should make the certs last longer than 1 year (16?)
We should also regenerate the certificate when it is requested if it is going to expire within a certain threshold (90 days?)
Comment 2 RHEL Product and Program Management 2012-05-31 09:48:40 EDT
Thank you for your bug report. This issue was evaluated for inclusion
in the current release of Subscription Asset Manager (SAM). Unfortunately,
we are unable to address this request. Because we are in the final stages
of development in the current release, only significant, release-blocking
issues involving serious regressions and data corruption can be considered.

If you believe this issue meets the release blocking criteria as defined and
communicated to you by your Red Hat Support representative, please ask
your representative to file this issue as a blocker for the current release.
Otherwise, ask that it be evaluated for inclusion in the next release of SAM.
Comment 3 RHEL Product and Program Management 2012-05-31 10:19:27 EDT
Thank you for your bug report. This issue was evaluated for inclusion
in the current release of Subscription Asset Manager (SAM). Unfortunately,
we are unable to address this request. Because we are in the final stages
of development in the current release, only significant, release-blocking
issues involving serious regressions and data corruption can be considered.

If you believe this issue meets the release blocking criteria as defined and
communicated to you by your Red Hat Support representative, please ask
your representative to file this issue as a blocker for the current release.
Otherwise, ask that it be evaluated for inclusion in the next release of SAM.
Comment 7 Bryan Kearney 2013-03-22 15:29:07 EDT
This was added in commit 88750675891209f68c7cff24b4aef446017ea824 which was delivered with 0.7.3.
Comment 8 Tazim Kolhar 2013-08-13 08:42:58 EDT
FailedQA :


was referring to https://bugzilla.redhat.com/show_bug.cgi?id=834558#c7
for verification

 # rpm -q subscription-managersubscription-manager-0.99.19-1.el6.x86_64

 # curl -k -u admin:admin -stderr /dev/null https://hp-sl4540gen8-01.rhts.eng.bos.redhat.com:8443/candlepin/status | python -msimplejson/tool
{
    "managerCapabilities": [
        "cores", 
        "ram", 
        "instance_multiplier", 
        "derived_product", 
        "cert_v3"
    ], 
    "release": "1", 
    "result": true, 
    "rulesSource": "DEFAULT", 
    "rulesVersion": "4.0", 
    "standalone": true, 
    "timeUTC": "2013-08-13T12:36:09.912+0000", 
    "version": "0.8.19"
}

 Configure client to a candlepin server
 # subscription-manager config --server.hostname  hp-sl4540gen8-01.rhts.eng.bos.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

 Register a client to candlepin server
 # subscription-manager register --username admin --password admin --org   ACME_Corporation --force
  Insufficient permissions

 Unable to register
Comment 9 Bryan Kearney 2013-08-20 14:17:31 EDT
Moving back to NEW to have it worked on.
Comment 10 Devan Goodwin 2013-08-26 11:59:44 EDT
Moving this back to ON_QA, Tazim can you please look into verifying this again? The fact that you cannot register even before doing anything with dates / certificates is a strong indication something is wrong in your environment. 

Once you can register normally, then you can proceed with the steps to verify the bug.
Comment 11 sthirugn@redhat.com 2013-09-10 10:27:46 EDT
FAILED.

SAM 1.3 Snap 5: Version Tested:
katello-headpin-all-1.4.3-12.el6sam_splice.noarch
katello-headpin-1.4.3-12.el6sam_splice.noarch

Steps:
client# rpm -Uvh http://sam-server/pub/candlepin-cert-consumer-latest.noarch.rpm

client# subscription-manager register --org=ACME_Corporation --username=**** --password=****
The system has been registered with id: 3afe75ff-df20-4a48-bcd7-639d80647d6c 

client# rpm -q subscription-manager
subscription-manager-1.1.23-1.el6.x86_64

client# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity
        Validity
            Not Before: Sep 10 02:39:41 2013 GMT
            Not After : Sep 10 02:39:41 2029 GMT

server# date 061010112029

client# date 061010112029

client# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Sep 10 03:04:50 2013 GMT
            Not After : Sep 10 03:04:50 2029 GMT
Comment 12 sthirugn@redhat.com 2013-09-10 10:42:06 EDT
Missed one step in Comment 7:

client# service rhsmcertd restart

client# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Sep 10 03:04:50 2013 GMT
            Not After : Sep 10 03:04:50 2029 GMT
Comment 13 sthirugn@redhat.com 2013-09-10 13:41:08 EDT
1. I also tried setting the sam server and using the same box as client
2. I tried executing /usr/libexec/rhsmcertd-worker 

None of these fixed the issue.
Comment 15 Carter Kozak 2013-09-10 16:11:18 EDT
Works for me with candlepin from master.
Comment 16 Bryan Kearney 2013-09-11 11:41:13 EDT
Suresh:

Any chance of getting on the box to recreate it.
Comment 17 sthirugn@redhat.com 2013-09-13 00:22:12 EDT
Verified.  

Steps:
# subscription-manager register
Username: $user
Password: 
The system has been registered with id: 1970b479-cdd6-4593-ab5e-3658e4cede2f 

# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Sep 13 11:29:04 2013 GMT
            Not After : Sep 13 11:29:04 2029 GMT

# date -s "+15 years +11 months"
Mon Aug 13 07:30:17 EDT 2029

# /usr/libexec/rhsmcertd-worker
Updating entitlement certificates & repositories
server: 4580594865596027231
local:  5290141054483019406
129 updates required
done

# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Aug 13 11:30:36 2029 GMT
            Not After : Aug 13 11:30:36 2045 GMT

Version Tested:
* candlepin-0.8.25-1.el6sam.noarch
* candlepin-cert-consumer-cloud-qe-7.idm.lab.bos.redhat.com-1.0-1.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.8.25-1.el6sam.noarch
* candlepin-tomcat6-0.8.25-1.el6sam.noarch
* elasticsearch-0.19.9-8.el6sat.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.4.2-2.el6sat.noarch
* katello-cli-1.4.3-10.el6sat.noarch
* katello-cli-common-1.4.3-10.el6sat.noarch
* katello-common-1.4.3-12.el6sam_splice.noarch
* katello-configure-1.4.4-4.el6sat.noarch
* katello-glue-candlepin-1.4.3-12.el6sam_splice.noarch
* katello-glue-elasticsearch-1.4.3-12.el6sam_splice.noarch
* katello-headpin-1.4.3-12.el6sam_splice.noarch
* katello-headpin-all-1.4.3-12.el6sam_splice.noarch
* katello-selinux-1.4.4-2.el6sat.noarch
* thumbslug-0.0.34-1.el6sam.noarch
* thumbslug-selinux-0.0.34-1.el6sam.noarch
Comment 19 errata-xmlrpc 2013-10-01 06:47:35 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1390.html

Note You need to log in before you can comment on or make changes to this bug.