827035 – Teach rhsmcertd to refresh the identity certificate

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 827035 - Teach rhsmcertd to refresh the identity certificate

Summary: Teach rhsmcertd to refresh the identity certificate

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Bryan Kearney
QA Contact:	Entitlement Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	827034
Blocks:	771481 834309 834558
TreeView+	depends on / blocked

Reported:	2012-05-31 13:36 UTC by James Bowes
Modified:	2014-01-31 19:09 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	827034
Clones:	834309 (view as bug list)
Environment:
Last Closed:	2012-12-10 21:41:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	923159	0	unspecified	CLOSED	rhsmcertd update is not automatically regenerating consumer cert	2021-02-22 00:41:40 UTC

Internal Links: 923159

Description James Bowes 2012-05-31 13:36:24 UTC

+++ This bug was initially created as a clone of Bug #827034 +++

rhsmcertd should check the server for a newer version of its id certificate in the same way it does for entitlement certificates, and grab it if appropriate. 

As things stand, the certificates expire in one year, and are only regenerated via a manual command run on the client. We're adding support to autoregen of the id cert in candlepin, but the client still needs to learn how to grab it. Without this, after a year of registration, a sysadmin will have to manually refresh the cert. That would get very annoying!

Comment 2 RHEL Program Management 2012-06-04 05:48:31 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 3 Keqin Hong 2012-06-05 06:41:47 UTC

Hi James,

Could you provide QA steps for this new feature?

Thanks,
Keqin

Comment 4 Jesus M. Rodriguez 2012-06-19 18:33:36 UTC

Requires candlepin 0.7.3 or greater to do anything.

Testing
--------
Forcing identity certificate to get updated.

1) register client to candlepin

2) configure the server side candlepin to have an expiry threshold of 7304 (roughly 20 years) this will force candlepin to regenerate the identity certificate on EVERY call to getConsumer. The configuration entry is:

    candlepin.identityCert.expiry.threshold = 7304

The default value for expiry.threshold is 90 days. Identity Certificates are now generated so that they don't expire for 16 years (also configurable).

3) make note of the existing identity certificate date:
   ls -lart /etc/pki/consumer/

4) restart rhsmcertd: /sbin/service rhsmcertd restart

5) make note of updated identity certificate date:
   ls -lart /etc/pki/consumer/

Comment 5 Michael Stead 2012-06-20 11:53:27 UTC

Fixed in master by Jesus M. Rodriguez

commit: bfff510f60ccc647f60ffdcb56b0101e1cccfe57

Comment 10 John Sefler 2012-11-27 23:03:49 UTC

Setup: The candlepin server (running version >= 0.7.3) that we will use to verify this bug is using these default configurations... 
# threshold in days before the expiration date for a consumer cert to be automatically regenerated during an rhsmcertd update (default is 90)
#candlepin.identityCert.expiry.threshold = 90
# validity duration for a consumer cert (default is 16 years - was originally 1 year)
#candlepin.identityCert.yr.addendum = 16

[root@jsefler-6 ~]# subscription-manager config --server.hostname=jsefler-f14-candlepin.usersys.redhat.com --server.port=8443 --server.prefix=/candlepin --server.insecure=1

Verifying Version...
[root@jsefler-6 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 0.7.19-1
subscription-manager: 1.1.10-1.el6
python-rhsm: 1.1.6-1.el6

[root@jsefler-6 ~]# subscription-manager register --username testuser1 --org admin
Password: 
The system has been registered with id: 2166d56d-90f9-4a2d-8bba-94c739081248 
[root@jsefler-6 ~]# subscription-manager identity
Current identity is: 2166d56d-90f9-4a2d-8bba-94c739081248
name: jsefler-6.usersys.redhat.com
org name: Admin Owner
org id: admin
[root@jsefler-6 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Nov 27 22:41:14 2012 GMT
            Not After : Nov 27 22:41:14 2028 GMT
                                        ^^^^
VERIFIED: A newly created consumer cert is now valid for 16 years by default!


Now, let's fast-forward time to the future on both the candlepin server and the subscription-manager system to within 90 days before Nov 27 22:07:20 2028...

[root@jsefler-f14-candlepin ~]# date
Tue Nov 27 17:43:14 EST 2012
[root@jsefler-f14-candlepin ~]# date -s "10/01/2028"
Sun Oct  1 00:00:00 EDT 2028

[root@jsefler-6 ~]# date
Tue Nov 27 17:44:16 EST 2012
[root@jsefler-6 ~]# date -s "10/01/2028"
Sun Oct  1 00:00:00 EDT 2028

Now let's restart rhsmcertd and wait for a hard 2 minutes for the cert deamon to refresh certificate updates with the server... 
[root@jsefler-6 ~]# service rhsmcertd restart
Stopping rhsmcertd...                                      [  OK  ]
Starting rhsmcertd...                                      [  OK  ]
[root@jsefler-6 ~]# sleep 120
[root@jsefler-6 ~]# 

[root@jsefler-6 ~]# subscription-manager identity
Current identity is: 2166d56d-90f9-4a2d-8bba-94c739081248
name: jsefler-6.usersys.redhat.com
org name: Admin Owner
org id: admin
[root@jsefler-6 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Oct  1 04:03:47 2028 GMT
            Not After : Oct  1 04:03:47 2044 GMT
                                        ^^^^
VERIFIED: The rhsmcertd deamon has has automatically updated the validity period for the same consumer UUID.  It is now valid for another 16 years!


Here is some more verification from the tail end of the rhsm.log that the consumer cert was automatically updated...
[root@jsefler-6 ~]# tail -f /var/log/rhsm/rhsm.log
2028-10-01 00:02:55,776 [DEBUG]  @connection.py:355 - Making request: GET /candlepin/consumers/2166d56d-90f9-4a2d-8bba-94c739081248
2028-10-01 00:02:55,940 [DEBUG]  @connection.py:368 - Response status: 200
2028-10-01 00:02:55,943 [DEBUG]  @certlib.py:180 - identity certificate changed, writing new one
2028-10-01 00:02:55,946 [INFO]  @managerlib.py:75 - Consumer created: {'consumer_name': 'jsefler-6.usersys.redhat.com', 'uuid': '2166d56d-90f9-4a2d-8bba-94c739081248'}


Moving to VERIFIED

Comment 11 Bryan Kearney 2012-12-10 21:41:53 UTC

Bug Clean Up, these are in the current release.

Note You need to log in before you can comment on or make changes to this bug.