Bug 834558 - Teach rhsmcertd to refresh the identity certificate
Summary: Teach rhsmcertd to refresh the identity certificate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager
Version: 6.3
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Michael Stead
QA Contact: Entitlement Bugs
URL:
Whiteboard:
Depends On: 827035
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-22 12:12 UTC by RHEL Program Management
Modified: 2013-01-10 11:02 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-13 04:35:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:1073 0 normal SHIPPED_LIVE subscription-manager bug fix update 2012-07-13 08:33:43 UTC

Description RHEL Program Management 2012-06-22 12:12:50 UTC
This bug has been copied from bug #827035 and has been proposed
to be backported to 6.3 z-stream (EUS).

Comment 4 Michael Stead 2012-06-22 14:52:16 UTC
Fixed in RHEL6.3.z (axiom):
b25c8ca6e6ea1d6e4c253f8e7992df4eaba553e2

Comment 6 John Sefler 2012-07-03 14:45:16 UTC
Before verifying this bug fix, let's demonstrate the problem...

Using the following subscription-manager/candlepin versions to demonstrate the failure:
[root@rhsm-compat-rhel63 ~]# rpm -q subscription-manager
subscription-manager-0.99.19-1.el6.x86_64

[root@rhsm-compat-rhel63 ~]# curl -k -u admin:admin -stderr /dev/null https://candlepin-old.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool{
    "release": "1", 
    "result": true, 
    "standalone": false, 
    "timeUTC": "2012-07-03T14:14:29.138+0000", 
    "version": "0.5.26"
}


Step 1: Configure client to a candlepin server (whose version is older than 0.7.3)
[root@rhsm-compat-rhel63 ~]# subscription-manager config --server.hostname candlepin-old.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

Step 2: Register client to candlepin server
[root@rhsm-compat-rhel63 ~]# subscription-manager register --username testuser1 --org admin
Password: 
The system has been registered with id: 7b1361cf-36ca-48de-91c8-67a5c7979bad 

Step 3: Check the Validity period on the client's consumer certificate
[root@rhsm-compat-rhel63 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity
        Validity
            Not Before: Jul  3 14:20:06 2012 GMT
            Not After : Jul  3 14:20:06 2013 GMT

^^^ Note that the consumer cert is valid for only one year.
Moreover, this consumer cert will not be automatically regenerated by the rhsmcertd process which only updates the entitlement certificates (not consumer certificate) on the certFrequency configured in /etc/rhsm/rhsm.conf.
The only way on this client to update the Validity period is to manually call "subscription-manager identity --regenerate".  However the Validity period will still be a year starting from now.

Comment 7 John Sefler 2012-07-03 19:27:41 UTC
To verify this bug, we need an update to subscription-manager (AND candlepin >= 0.7.3)

Using the following updated subscription-manager/candlepin versions to verify this bug fix:
[root@rhsm-compat-rhel63 ~]# rpm -q subscription-manager
subscription-manager-0.99.19.4-1.el6_3.x86_64

[root@rhsm-compat-rhel63 ~]# curl -k -u admin:admin -stderr /dev/null https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool
{
    "release": "1", 
    "result": true, 
    "standalone": true, 
    "timeUTC": "2012-07-03T18:16:21.448+0000", 
    "version": "0.7.3"
}

Step 1: Configure client to a candlepin server (whose version is 0.7.3 or newer)
[root@rhsm-compat-rhel63 ~]# subscription-manager config --server.hostname jsefler-f14-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

Step 2: Register client to candlepin server
[root@rhsm-compat-rhel63 ~]# subscription-manager register --username testuser1 --org admin
Password: 
The system has been registered with id: 1f0b5f8d-8f72-4ccb-bfc5-5597d82ab603 

Step 3: Check the Validity period on the client's consumer certificate
[root@rhsm-compat-rhel63 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Jul  3 18:19:25 2012 GMT
            Not After : Jul  3 18:19:25 2028 GMT
                                        ^^^^
VERIFIED: A newly created consumer cert is now valid for 16 years!

Step 4:
Now we need to verify that a consumer cert can be automatically updated.  To achieve this, a new candlepin configuration (candlepin.identityCert.expiry.threshold) was added to the candlepin server with a default value of 90 days.  Therefore if we forcibly advance the date on the candlepin server and the client to within 90 days before Jul 3 2028, then we can restart the rhsmcertd service on the client (which will trigger the client to get updated entitlement certs as well as a new consumer cert!)  Let's do it...

[root@jsefler-f14-candlepin proxy]# date 050100002028
Mon May  1 00:00:00 EDT 2028

[root@rhsm-compat-rhel63 ~]# date 050100002028
Mon May  1 00:00:00 EDT 2028

[root@rhsm-compat-rhel63 ~]# service rhsmcertd restart
Stopping rhsmcertd                                         [FAILED]
Starting rhsmcertd 240 1440                                [  OK  ]

[root@rhsm-compat-rhel63 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: May  1 04:02:37 2028 GMT
            Not After : May  1 04:02:37 2044 GMT
                                        ^^^^
VERIFIED: When the rhsmcertd service checked in with the server within 90 days of the consumer cert's expiration, an updated consumer cert was generated by the candlepin server, installed on the client, and is now valid for the next 16 years.

Here is some addition logging from the rhsm.log showing the automatically updated/written consumer...
2028-05-01 00:02:23,722 [DEBUG]  @connection.py:327 - Making request: GET /candlepin/consumers/1f0b5f8d-8f72-4ccb-bfc5-5597d82ab603
2028-05-01 00:02:23,816 [DEBUG]  @connection.py:340 - Response status: 200
2028-05-01 00:02:23,817 [DEBUG]  @certlib.py:172 - identity certificate changed, writing new one
2028-05-01 00:02:23,819 [INFO]  @managerlib.py:74 - Consumer created: {'consumer_name': 'rhsm-compat-rhel63.usersys.redhat.com', 'uuid': '1f0b5f8d-8f72-4ccb-bfc5-5597d82ab603'}


Moving to VERIFIED

Comment 9 errata-xmlrpc 2012-07-13 04:35:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1073.html


Note You need to log in before you can comment on or make changes to this bug.