Bug 827034 - Teach rhsmcertd to refresh the identity certificate
Summary: Teach rhsmcertd to refresh the identity certificate
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: subscription-manager
Version: 5.9
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: William Poteat
QA Contact: Entitlement Bugs
URL:
Whiteboard:
: 834309 (view as bug list)
Depends On:
Blocks: 738066 771748 827035 834309 838091
TreeView+ depends on / blocked
 
Reported: 2012-05-31 13:34 UTC by James Bowes
Modified: 2013-01-10 11:02 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Pasted from https://errata.devel.redhat.com/errata/details/13433: * Client ID certificates expire after one year, and previously could be regenerated only manually by the user. With this update, the client can automatically retrieve an updated client ID certificate from the entitlement server if this is supported by the target instance. (BZ#838091)
Clone Of:
: 827035 (view as bug list)
Environment:
Last Closed: 2012-12-10 21:42:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0033 0 normal SHIPPED_LIVE subscription-manager bug fix and enhancement update 2013-01-08 08:38:27 UTC

Description James Bowes 2012-05-31 13:34:36 UTC 
rhsmcertd should check the server for a newer version of its id certificate in the same way it does for entitlement certificates, and grab it if appropriate. 

As things stand, the certificates expire in one year, and are only regenerated via a manual command run on the client. We're adding support to autoregen of the id cert in candlepin, but the client still needs to learn how to grab it. Without this, after a year of registration, a sysadmin will have to manually refresh the cert. That would get very annoying!
Comment 1 Alex Wood 2012-06-19 19:53:48 UTC 
Note that this bug has been cloned to bug #827035

commit bfff510f60ccc647f60ffdcb56b0101e1cccfe57
Refs: <origin/827035>, subscription-manager-1.0.3-1-77-gbfff510
Author:     jesus m. rodriguez <jmrodri>
AuthorDate: Mon Jun 11 17:43:35 2012 -0400
Commit:     jesus m. rodriguez <jmrodri>
CommitDate: Mon Jun 18 11:03:01 2012 -0400

    827035: update identity certificate
Comment 2 RHEL Program Management 2012-06-19 20:08:27 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Michael Stead 2012-06-21 13:49:26 UTC 
*** Bug 834309 has been marked as a duplicate of this bug. ***
Comment 4 Sharath Dwaral 2012-07-05 21:40:50 UTC 
# rpm -qa | egrep "subscription-manager|python-rhsm"
subscription-manager-migration-1.0.6-1.el5
subscription-manager-1.0.6-1.el5
subscription-manager-gui-1.0.6-1.el5
subscription-manager-debuginfo-1.0.6-1.el5
python-rhsm-1.0.3-1.el5
subscription-manager-firstboot-1.0.6-1.el5

# curl -k -u testuser1:password -stderr /dev/null https://fsharath-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool
{
    "release": "1", 
    "result": true, 
    "standalone": true, 
    "timeUTC": "2044-05-01T04:05:50.708+0000", 
    "version": "0.7.3"
}

# subscription-manager config --server.hostname fsharath-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

# subscription-manager register --org=admin
Username: testuser1
Password: 
The system has been registered with id: b0f9baf1-2fda-4817-a1cc-0ca72989c368 

# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Jun  5 21:30:45 2012 GMT
            Not After : Jun  5 21:30:45 2028 GMT


Executing the below command on client and server (dates should be in sync)

# date 050100002028
Mon May  1 00:00:00 EDT 2028

# service rhsmcertd restart
Stopping rhsmcertd                                         [FAILED]
Starting rhsmcertd 240 1440                                [  OK  ]
[root@fsharath-rhel59server sub-man]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: May  1 04:00:18 2028 GMT
            Not After : May  1 04:00:18 2044 GMT

Moving Bur to VERIFIED
Comment 8 Bryan Kearney 2012-12-10 21:42:16 UTC 
Bug Clean Up, these are in the current release.
Note You need to log in before you can comment on or make changes to this bug.