834558 – Teach rhsmcertd to refresh the identity certificate

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 834558 - Teach rhsmcertd to refresh the identity certificate

Summary: Teach rhsmcertd to refresh the identity certificate

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Michael Stead
QA Contact:	Entitlement Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	827035
Blocks:
TreeView+	depends on / blocked

Reported:	2012-06-22 12:12 UTC by RHEL Program Management
Modified:	2013-01-10 11:02 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-07-13 04:35:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:1073	0	normal	SHIPPED_LIVE	subscription-manager bug fix update	2012-07-13 08:33:43 UTC

Description RHEL Program Management 2012-06-22 12:12:50 UTC

This bug has been copied from bug #827035 and has been proposed
to be backported to 6.3 z-stream (EUS).

Comment 4 Michael Stead 2012-06-22 14:52:16 UTC

Fixed in RHEL6.3.z (axiom):
b25c8ca6e6ea1d6e4c253f8e7992df4eaba553e2

Comment 6 John Sefler 2012-07-03 14:45:16 UTC

Before verifying this bug fix, let's demonstrate the problem...

Using the following subscription-manager/candlepin versions to demonstrate the failure:
[root@rhsm-compat-rhel63 ~]# rpm -q subscription-manager
subscription-manager-0.99.19-1.el6.x86_64

[root@rhsm-compat-rhel63 ~]# curl -k -u admin:admin -stderr /dev/null https://candlepin-old.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool{
    "release": "1", 
    "result": true, 
    "standalone": false, 
    "timeUTC": "2012-07-03T14:14:29.138+0000", 
    "version": "0.5.26"
}


Step 1: Configure client to a candlepin server (whose version is older than 0.7.3)
[root@rhsm-compat-rhel63 ~]# subscription-manager config --server.hostname candlepin-old.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

Step 2: Register client to candlepin server
[root@rhsm-compat-rhel63 ~]# subscription-manager register --username testuser1 --org admin
Password: 
The system has been registered with id: 7b1361cf-36ca-48de-91c8-67a5c7979bad 

Step 3: Check the Validity period on the client's consumer certificate
[root@rhsm-compat-rhel63 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity
        Validity
            Not Before: Jul  3 14:20:06 2012 GMT
            Not After : Jul  3 14:20:06 2013 GMT

^^^ Note that the consumer cert is valid for only one year.
Moreover, this consumer cert will not be automatically regenerated by the rhsmcertd process which only updates the entitlement certificates (not consumer certificate) on the certFrequency configured in /etc/rhsm/rhsm.conf.
The only way on this client to update the Validity period is to manually call "subscription-manager identity --regenerate".  However the Validity period will still be a year starting from now.

Comment 7 John Sefler 2012-07-03 19:27:41 UTC

To verify this bug, we need an update to subscription-manager (AND candlepin >= 0.7.3)

Using the following updated subscription-manager/candlepin versions to verify this bug fix:
[root@rhsm-compat-rhel63 ~]# rpm -q subscription-manager
subscription-manager-0.99.19.4-1.el6_3.x86_64

[root@rhsm-compat-rhel63 ~]# curl -k -u admin:admin -stderr /dev/null https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool
{
    "release": "1", 
    "result": true, 
    "standalone": true, 
    "timeUTC": "2012-07-03T18:16:21.448+0000", 
    "version": "0.7.3"
}

Step 1: Configure client to a candlepin server (whose version is 0.7.3 or newer)
[root@rhsm-compat-rhel63 ~]# subscription-manager config --server.hostname jsefler-f14-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

Step 2: Register client to candlepin server
[root@rhsm-compat-rhel63 ~]# subscription-manager register --username testuser1 --org admin
Password: 
The system has been registered with id: 1f0b5f8d-8f72-4ccb-bfc5-5597d82ab603 

Step 3: Check the Validity period on the client's consumer certificate
[root@rhsm-compat-rhel63 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: Jul  3 18:19:25 2012 GMT
            Not After : Jul  3 18:19:25 2028 GMT
                                        ^^^^
VERIFIED: A newly created consumer cert is now valid for 16 years!

Step 4:
Now we need to verify that a consumer cert can be automatically updated.  To achieve this, a new candlepin configuration (candlepin.identityCert.expiry.threshold) was added to the candlepin server with a default value of 90 days.  Therefore if we forcibly advance the date on the candlepin server and the client to within 90 days before Jul 3 2028, then we can restart the rhsmcertd service on the client (which will trigger the client to get updated entitlement certs as well as a new consumer cert!)  Let's do it...

[root@jsefler-f14-candlepin proxy]# date 050100002028
Mon May  1 00:00:00 EDT 2028

[root@rhsm-compat-rhel63 ~]# date 050100002028
Mon May  1 00:00:00 EDT 2028

[root@rhsm-compat-rhel63 ~]# service rhsmcertd restart
Stopping rhsmcertd                                         [FAILED]
Starting rhsmcertd 240 1440                                [  OK  ]

[root@rhsm-compat-rhel63 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem |grep -A2 Validity
        Validity
            Not Before: May  1 04:02:37 2028 GMT
            Not After : May  1 04:02:37 2044 GMT
                                        ^^^^
VERIFIED: When the rhsmcertd service checked in with the server within 90 days of the consumer cert's expiration, an updated consumer cert was generated by the candlepin server, installed on the client, and is now valid for the next 16 years.

Here is some addition logging from the rhsm.log showing the automatically updated/written consumer...
2028-05-01 00:02:23,722 [DEBUG]  @connection.py:327 - Making request: GET /candlepin/consumers/1f0b5f8d-8f72-4ccb-bfc5-5597d82ab603
2028-05-01 00:02:23,816 [DEBUG]  @connection.py:340 - Response status: 200
2028-05-01 00:02:23,817 [DEBUG]  @certlib.py:172 - identity certificate changed, writing new one
2028-05-01 00:02:23,819 [INFO]  @managerlib.py:74 - Consumer created: {'consumer_name': 'rhsm-compat-rhel63.usersys.redhat.com', 'uuid': '1f0b5f8d-8f72-4ccb-bfc5-5597d82ab603'}


Moving to VERIFIED

Comment 9 errata-xmlrpc 2012-07-13 04:35:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1073.html

Note You need to log in before you can comment on or make changes to this bug.