Bug 827034 - Teach rhsmcertd to refresh the identity certificate
Teach rhsmcertd to refresh the identity certificate
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: subscription-manager (Show other bugs)
5.9
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: William Poteat
Entitlement Bugs
: ZStream
: 834309 (view as bug list)
Depends On:
Blocks: 738066 771748 827035 834309 838091
  Show dependency treegraph
 
Reported: 2012-05-31 09:34 EDT by James Bowes
Modified: 2013-01-10 06:02 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Pasted from https://errata.devel.redhat.com/errata/details/13433: * Client ID certificates expire after one year, and previously could be regenerated only manually by the user. With this update, the client can automatically retrieve an updated client ID certificate from the entitlement server if this is supported by the target instance. (BZ#838091)
Story Points: ---
Clone Of:
: 827035 (view as bug list)
Environment:
Last Closed: 2012-12-10 16:42:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Bowes 2012-05-31 09:34:36 EDT
rhsmcertd should check the server for a newer version of its id certificate in the same way it does for entitlement certificates, and grab it if appropriate. 

As things stand, the certificates expire in one year, and are only regenerated via a manual command run on the client. We're adding support to autoregen of the id cert in candlepin, but the client still needs to learn how to grab it. Without this, after a year of registration, a sysadmin will have to manually refresh the cert. That would get very annoying!
Comment 1 Alex Wood 2012-06-19 15:53:48 EDT
Note that this bug has been cloned to bug #827035

commit bfff510f60ccc647f60ffdcb56b0101e1cccfe57
Refs: <origin/827035>, subscription-manager-1.0.3-1-77-gbfff510
Author:     jesus m. rodriguez <jmrodri@gmail.com>
AuthorDate: Mon Jun 11 17:43:35 2012 -0400
Commit:     jesus m. rodriguez <jmrodri@gmail.com>
CommitDate: Mon Jun 18 11:03:01 2012 -0400

    827035: update identity certificate
Comment 2 RHEL Product and Program Management 2012-06-19 16:08:27 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Michael Stead 2012-06-21 09:49:26 EDT
*** Bug 834309 has been marked as a duplicate of this bug. ***
Comment 4 Sharath Dwaral 2012-07-05 17:40:50 EDT
# rpm -qa | egrep "subscription-manager|python-rhsm"
subscription-manager-migration-1.0.6-1.el5
subscription-manager-1.0.6-1.el5
subscription-manager-gui-1.0.6-1.el5
subscription-manager-debuginfo-1.0.6-1.el5
python-rhsm-1.0.3-1.el5
subscription-manager-firstboot-1.0.6-1.el5

# curl -k -u testuser1:password -stderr /dev/null https://fsharath-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool
{
    "release": "1", 
    "result": true, 
    "standalone": true, 
    "timeUTC": "2044-05-01T04:05:50.708+0000", 
    "version": "0.7.3"
}

# subscription-manager config --server.hostname fsharath-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

# subscription-manager register --org=admin
Username: testuser1
Password: 
The system has been registered with id: b0f9baf1-2fda-4817-a1cc-0ca72989c368 

# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Jun  5 21:30:45 2012 GMT
            Not After : Jun  5 21:30:45 2028 GMT


Executing the below command on client and server (dates should be in sync)

# date 050100002028
Mon May  1 00:00:00 EDT 2028

# service rhsmcertd restart
Stopping rhsmcertd                                         [FAILED]
Starting rhsmcertd 240 1440                                [  OK  ]
[root@fsharath-rhel59server sub-man]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: May  1 04:00:18 2028 GMT
            Not After : May  1 04:00:18 2044 GMT

Moving Bur to VERIFIED
Comment 8 Bryan Kearney 2012-12-10 16:42:16 EST
Bug Clean Up, these are in the current release.

Note You need to log in before you can comment on or make changes to this bug.