Bug 834558 - Teach rhsmcertd to refresh the identity certificate
Teach rhsmcertd to refresh the identity certificate
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager (Show other bugs)
6.3
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Michael Stead
Entitlement Bugs
: ZStream
Depends On: 827035
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-22 08:12 EDT by RHEL Product and Program Management
Modified: 2013-01-10 06:02 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-13 00:35:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description RHEL Product and Program Management 2012-06-22 08:12:50 EDT
This bug has been copied from bug #827035 and has been proposed
to be backported to 6.3 z-stream (EUS).
Comment 4 Michael Stead 2012-06-22 10:52:16 EDT
Fixed in RHEL6.3.z (axiom):
b25c8ca6e6ea1d6e4c253f8e7992df4eaba553e2
Comment 6 John Sefler 2012-07-03 10:45:16 EDT
Before verifying this bug fix, let's demonstrate the problem...

Using the following subscription-manager/candlepin versions to demonstrate the failure:
[root@rhsm-compat-rhel63 ~]# rpm -q subscription-manager
subscription-manager-0.99.19-1.el6.x86_64

[root@rhsm-compat-rhel63 ~]# curl -k -u admin:admin -stderr /dev/null https://candlepin-old.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool{
    "release": "1", 
    "result": true, 
    "standalone": false, 
    "timeUTC": "2012-07-03T14:14:29.138+0000", 
    "version": "0.5.26"
}


Step 1: Configure client to a candlepin server (whose version is older than 0.7.3)
[root@rhsm-compat-rhel63 ~]# subscription-manager config --server.hostname candlepin-old.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

Step 2: Register client to candlepin server
[root@rhsm-compat-rhel63 ~]# subscription-manager register --username testuser1 --org admin
Password: 
The system has been registered with id: 7b1361cf-36ca-48de-91c8-67a5c7979bad 

Step 3: Check the Validity period on the client's consumer certificate
[root@rhsm-compat-rhel63 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity
        Validity
            Not Before: Jul  3 14:20:06 2012 GMT
            Not After : Jul  3 14:20:06 2013 GMT

^^^ Note that the consumer cert is valid for only one year.
Moreover, this consumer cert will not be automatically regenerated by the rhsmcertd process which only updates the entitlement certificates (not consumer certificate) on the certFrequency configured in /etc/rhsm/rhsm.conf.
The only way on this client to update the Validity period is to manually call "subscription-manager identity --regenerate".  However the Validity period will still be a year starting from now.
Comment 7 John Sefler 2012-07-03 15:27:41 EDT
To verify this bug, we need an update to subscription-manager (AND candlepin >= 0.7.3)

Using the following updated subscription-manager/candlepin versions to verify this bug fix:
[root@rhsm-compat-rhel63 ~]# rpm -q subscription-manager
subscription-manager-0.99.19.4-1.el6_3.x86_64

[root@rhsm-compat-rhel63 ~]# curl -k -u admin:admin -stderr /dev/null https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool
{
    "release": "1", 
    "result": true, 
    "standalone": true, 
    "timeUTC": "2012-07-03T18:16:21.448+0000", 
    "version": "0.7.3"
}

Step 1: Configure client to a candlepin server (whose version is 0.7.3 or newer)
[root@rhsm-compat-rhel63 ~]# subscription-manager config --server.hostname jsefler-f14-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

Step 2: Register client to candlepin server
[root@rhsm-compat-rhel63 ~]# subscription-manager register --username testuser1 --org admin
Password: 
The system has been registered with id: 1f0b5f8d-8f72-4ccb-bfc5-5597d82ab603 

Step 3: Check the Validity period on the client's consumer certificate
[root@rhsm-compat-rhel63 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Jul  3 18:19:25 2012 GMT
            Not After : Jul  3 18:19:25 2028 GMT
                                        ^^^^
VERIFIED: A newly created consumer cert is now valid for 16 years!

Step 4:
Now we need to verify that a consumer cert can be automatically updated.  To achieve this, a new candlepin configuration (candlepin.identityCert.expiry.threshold) was added to the candlepin server with a default value of 90 days.  Therefore if we forcibly advance the date on the candlepin server and the client to within 90 days before Jul 3 2028, then we can restart the rhsmcertd service on the client (which will trigger the client to get updated entitlement certs as well as a new consumer cert!)  Let's do it...

[root@jsefler-f14-candlepin proxy]# date 050100002028
Mon May  1 00:00:00 EDT 2028

[root@rhsm-compat-rhel63 ~]# date 050100002028
Mon May  1 00:00:00 EDT 2028

[root@rhsm-compat-rhel63 ~]# service rhsmcertd restart
Stopping rhsmcertd                                         [FAILED]
Starting rhsmcertd 240 1440                                [  OK  ]

[root@rhsm-compat-rhel63 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: May  1 04:02:37 2028 GMT
            Not After : May  1 04:02:37 2044 GMT
                                        ^^^^
VERIFIED: When the rhsmcertd service checked in with the server within 90 days of the consumer cert's expiration, an updated consumer cert was generated by the candlepin server, installed on the client, and is now valid for the next 16 years.

Here is some addition logging from the rhsm.log showing the automatically updated/written consumer...
2028-05-01 00:02:23,722 [DEBUG]  @connection.py:327 - Making request: GET /candlepin/consumers/1f0b5f8d-8f72-4ccb-bfc5-5597d82ab603
2028-05-01 00:02:23,816 [DEBUG]  @connection.py:340 - Response status: 200
2028-05-01 00:02:23,817 [DEBUG]  @certlib.py:172 - identity certificate changed, writing new one
2028-05-01 00:02:23,819 [INFO]  @managerlib.py:74 - Consumer created: {'consumer_name': 'rhsm-compat-rhel63.usersys.redhat.com', 'uuid': '1f0b5f8d-8f72-4ccb-bfc5-5597d82ab603'}


Moving to VERIFIED
Comment 9 errata-xmlrpc 2012-07-13 00:35:19 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1073.html

Note You need to log in before you can comment on or make changes to this bug.