Bug 827035 - Teach rhsmcertd to refresh the identity certificate
Teach rhsmcertd to refresh the identity certificate
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager (Show other bugs)
6.3
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Bryan Kearney
Entitlement Bugs
: ZStream
Depends On: 827034
Blocks: 771481 834309 834558
  Show dependency treegraph
 
Reported: 2012-05-31 09:36 EDT by James Bowes
Modified: 2014-01-31 14:09 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 827034
: 834309 (view as bug list)
Environment:
Last Closed: 2012-12-10 16:41:53 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Bowes 2012-05-31 09:36:24 EDT
+++ This bug was initially created as a clone of Bug #827034 +++

rhsmcertd should check the server for a newer version of its id certificate in the same way it does for entitlement certificates, and grab it if appropriate. 

As things stand, the certificates expire in one year, and are only regenerated via a manual command run on the client. We're adding support to autoregen of the id cert in candlepin, but the client still needs to learn how to grab it. Without this, after a year of registration, a sysadmin will have to manually refresh the cert. That would get very annoying!
Comment 2 RHEL Product and Program Management 2012-06-04 01:48:31 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 Keqin Hong 2012-06-05 02:41:47 EDT
Hi James,

Could you provide QA steps for this new feature?

Thanks,
Keqin
Comment 4 Jesus M. Rodriguez 2012-06-19 14:33:36 EDT
Requires candlepin 0.7.3 or greater to do anything.

Testing
--------
Forcing identity certificate to get updated.

1) register client to candlepin

2) configure the server side candlepin to have an expiry threshold of 7304 (roughly 20 years) this will force candlepin to regenerate the identity certificate on EVERY call to getConsumer. The configuration entry is:

    candlepin.identityCert.expiry.threshold = 7304

The default value for expiry.threshold is 90 days. Identity Certificates are now generated so that they don't expire for 16 years (also configurable).

3) make note of the existing identity certificate date:
   ls -lart /etc/pki/consumer/

4) restart rhsmcertd: /sbin/service rhsmcertd restart

5) make note of updated identity certificate date:
   ls -lart /etc/pki/consumer/
Comment 5 Michael Stead 2012-06-20 07:53:27 EDT
Fixed in master by Jesus M. Rodriguez

commit: bfff510f60ccc647f60ffdcb56b0101e1cccfe57
Comment 10 John Sefler 2012-11-27 18:03:49 EST
Setup: The candlepin server (running version >= 0.7.3) that we will use to verify this bug is using these default configurations... 
# threshold in days before the expiration date for a consumer cert to be automatically regenerated during an rhsmcertd update (default is 90)
#candlepin.identityCert.expiry.threshold = 90
# validity duration for a consumer cert (default is 16 years - was originally 1 year)
#candlepin.identityCert.yr.addendum = 16

[root@jsefler-6 ~]# subscription-manager config --server.hostname=jsefler-f14-candlepin.usersys.redhat.com --server.port=8443 --server.prefix=/candlepin --server.insecure=1

Verifying Version...
[root@jsefler-6 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.7.19-1
subscription-manager: 1.1.10-1.el6
python-rhsm: 1.1.6-1.el6

[root@jsefler-6 ~]# subscription-manager register --username testuser1 --org admin
Password: 
The system has been registered with id: 2166d56d-90f9-4a2d-8bba-94c739081248 
[root@jsefler-6 ~]# subscription-manager identity
Current identity is: 2166d56d-90f9-4a2d-8bba-94c739081248
name: jsefler-6.usersys.redhat.com
org name: Admin Owner
org id: admin
[root@jsefler-6 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Nov 27 22:41:14 2012 GMT
            Not After : Nov 27 22:41:14 2028 GMT
                                        ^^^^
VERIFIED: A newly created consumer cert is now valid for 16 years by default!


Now, let's fast-forward time to the future on both the candlepin server and the subscription-manager system to within 90 days before Nov 27 22:07:20 2028...

[root@jsefler-f14-candlepin ~]# date
Tue Nov 27 17:43:14 EST 2012
[root@jsefler-f14-candlepin ~]# date -s "10/01/2028"
Sun Oct  1 00:00:00 EDT 2028

[root@jsefler-6 ~]# date
Tue Nov 27 17:44:16 EST 2012
[root@jsefler-6 ~]# date -s "10/01/2028"
Sun Oct  1 00:00:00 EDT 2028

Now let's restart rhsmcertd and wait for a hard 2 minutes for the cert deamon to refresh certificate updates with the server... 
[root@jsefler-6 ~]# service rhsmcertd restart
Stopping rhsmcertd...                                      [  OK  ]
Starting rhsmcertd...                                      [  OK  ]
[root@jsefler-6 ~]# sleep 120
[root@jsefler-6 ~]# 

[root@jsefler-6 ~]# subscription-manager identity
Current identity is: 2166d56d-90f9-4a2d-8bba-94c739081248
name: jsefler-6.usersys.redhat.com
org name: Admin Owner
org id: admin
[root@jsefler-6 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Oct  1 04:03:47 2028 GMT
            Not After : Oct  1 04:03:47 2044 GMT
                                        ^^^^
VERIFIED: The rhsmcertd deamon has has automatically updated the validity period for the same consumer UUID.  It is now valid for another 16 years!


Here is some more verification from the tail end of the rhsm.log that the consumer cert was automatically updated...
[root@jsefler-6 ~]# tail -f /var/log/rhsm/rhsm.log
2028-10-01 00:02:55,776 [DEBUG]  @connection.py:355 - Making request: GET /candlepin/consumers/2166d56d-90f9-4a2d-8bba-94c739081248
2028-10-01 00:02:55,940 [DEBUG]  @connection.py:368 - Response status: 200
2028-10-01 00:02:55,943 [DEBUG]  @certlib.py:180 - identity certificate changed, writing new one
2028-10-01 00:02:55,946 [INFO]  @managerlib.py:75 - Consumer created: {'consumer_name': 'jsefler-6.usersys.redhat.com', 'uuid': '2166d56d-90f9-4a2d-8bba-94c739081248'}


Moving to VERIFIED
Comment 11 Bryan Kearney 2012-12-10 16:41:53 EST
Bug Clean Up, these are in the current release.

Note You need to log in before you can comment on or make changes to this bug.