Bug 838091 - Teach rhsmcertd to refresh the identity certificate
Teach rhsmcertd to refresh the identity certificate
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: subscription-manager (Show other bugs)
5.9
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Jesus M. Rodriguez
Entitlement Bugs
: ZStream
Depends On: 827034
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-06 09:28 EDT by RHEL Product and Program Management
Modified: 2013-01-10 06:03 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-13 00:35:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description RHEL Product and Program Management 2012-07-06 09:28:41 EDT
This bug has been copied from bug #827034 and has been proposed
to be backported to 5.8 z-stream (EUS).
Comment 5 John Sefler 2012-07-09 13:19:02 EDT
Before verifying this bug fix, let's demonstrate the problem...

The following subscription-manager/candlepin versions will be used to demonstrate the problems:
[root@rhsm-compat-rhel58 ~]# rpm -q subscription-manager
subscription-manager-0.98.16-1.el5_8
[root@rhsm-compat-rhel58 ~]# curl -k -u admin:**** -stderr /dev/null https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool
{
    "release": "1", 
    "result": true, 
    "standalone": true, 
    "timeUTC": "2012-07-09T16:48:35.511+0000", 
    "version": "0.5.26"
}


Step 1: Configure client to a candlepin server (whose version is older than 0.7.3)
[root@rhsm-compat-rhel58 ~]# subscription-manager config --server.hostname jsefler-f14-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

Step 2: Register client to candlepin server
[root@rhsm-compat-rhel58 ~]# subscription-manager register --username testuser1 --password **** --org admin
The system has been registered with id: 0ff42f32-2b6d-4687-8158-77896c07f867 

Step 3: Check the Validity period on the client's consumer certificate
[root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity
        Validity
            Not Before: Jul  9 16:50:45 2012 GMT
            Not After : Jul  9 16:50:45 2013 GMT
^^^ PROBLEM 1: THIS CONSUMER CERT IS VALID FOR ONE YEAR ONLY

Step 4: Simulate the future by advancing both the system and candlepin server's date to within 90 days of the consumer cert expiration.  Then simulate a certificate frequency update by restarting the rhsmcertd service.
[root@rhsm-compat-rhel58 ~]# date 070100002013
Mon Jul  1 00:00:00 EDT 2013
[root@jsefler-f14-candlepin ~]# date 070100002013
Mon Jul  1 00:00:00 EDT 2013
[root@rhsm-compat-rhel58 ~]# service rhsmcertd restart
Stopping rhsmcertd                                         [  OK  ]
Starting rhsmcertd 240 1440                                [  OK  ]
[root@rhsm-compat-rhel58 ~]# subscription-manager identity
Current identity is: 0ff42f32-2b6d-4687-8158-77896c07f867
name: rhsm-compat-rhel58.usersys.redhat.com
org name: Admin Owner
org id: 8a90f875386c97cd01386c97f3f20007
[root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity
        Validity
            Not Before: Jul  9 16:50:45 2012 GMT
            Not After : Jul  9 16:50:45 2013 GMT
^^^ PROBLEM 2: ALTHOUGH COMMUNICATION FROM THE SYSTEM TO THE CANDLEPIN SERVER IS STILL SUCCESSFUL, THIS SYSTEM IS NOW WITHIN 90 DAYS OF AN EXPIRED CONSUMER CERT AND THE CONSUMER CERT WAS NOT REGENERATED AUTOMATICALLY.

Step 5: Simulate the future by advancing both the system and candlepin server's beyond consumer cert expiration.  Then attempt to communicate from the subscription-manager system to the candlepin server.
[root@rhsm-compat-rhel58 ~]# date 080100002013
Thu Aug  1 00:00:00 EDT 2013
[root@jsefler-f14-candlepin ~]# date 080100002013
Thu Aug  1 00:00:00 EDT 2013
[root@rhsm-compat-rhel58 ~]# subscription-manager identity
sslv3 alert certificate unknown
^^^ PROBLEM 3: THIS SYSTEM IS NOW BEYOND THE EXPIRATION DATE OF THE CONSUMER CERT AND COMMUNICATION TO THE CANDLEPIN SERVER FAILS WITH A "sslv3 alert certificate unknown". THE USER DOES NOT KNOW WHAT TO DO.

Manual Solution:  Without this bug fix in place, the easiest way to fix this situation is to manually regenerate the consumer certificate using the consumer's authentication credentials...
[root@rhsm-compat-rhel58 ~]# subscription-manager identity --regenerate --username=testuser1 --password=**** --force
Identity certificate has been regenerated.
[root@rhsm-compat-rhel58 ~]# subscription-manager identity
Current identity is: 0ff42f32-2b6d-4687-8158-77896c07f867
name: rhsm-compat-rhel58.usersys.redhat.com
org name: Admin Owner
org id: 8a90f875386c97cd01386c97f3f20007
[root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity
        Validity
            Not Before: Aug  1 04:06:03 2013 GMT
            Not After : Aug  1 04:06:03 2014 GMT
^^^ THIS MANUAL SOLUTION SUCCESSFULLY RE-ESTABLISHED COMMUNICATION TO THE CANDLEPIN SERVER BY INSTALLING A NEW CONSUMER CERT VALID FOR A NEW YEAR STARTING FROM NOW.
Comment 7 John Sefler 2012-07-11 17:57:31 EDT
To verify this bug, we need the bug fix applied to the subscription-manager system (AND candlepin >= 0.7.3).

Using the following updated subscription-manager/candlepin versions to verify this bug fix:
[root@rhsm-compat-rhel58 ~]# rpm -q subscription-manager
subscription-manager-0.98.16.3-1.el5_8
[root@rhsm-compat-rhel58 ~]# curl -k -u admin:**** -stderr /dev/null https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/status | python -msimplejson/tool
{
    "release": "1", 
    "result": true, 
    "standalone": true, 
    "timeUTC": "2012-07-11T21:25:13.841+0000", 
    "version": "0.7.3"
}


Step 1: Configure client to a candlepin server (whose version is 0.7.3 or newer)
[root@rhsm-compat-rhel58 ~]# subscription-manager config --server.hostname jsefler-f14-candlepin.usersys.redhat.com --server.port 8443 --server.prefix /candlepin --server.insecure 1

Step 2: Register client to candlepin server
[root@rhsm-compat-rhel58 ~]# subscription-manager register --username testuser1 --password **** --org admin
The system has been registered with id: a1e34202-10de-41d9-b81c-17f36eea98c0

Step 3: Check the Validity period on the client's consumer certificate
[root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity
        Validity
            Not Before: Jul 11 21:29:43 2012 GMT
            Not After : Jul 11 21:29:43 2028 GMT
^^^ VERIFIED PROBLEM 1 IS SOLVED: A NEWLY GENERATED CONSUMER CERT IS NOW VALID FOR 16 YEARS

Step 4: Simulate the future by advancing both the system and candlepin server's date to within 90 days of the consumer cert expiration.  Then simulate a certificate frequency update by restarting the rhsmcertd service.
[root@rhsm-compat-rhel58 ~]# date 070100002028
Sat Jul  1 00:00:00 EDT 2028
[root@jsefler-f14-candlepin ~]# date 070100002028
Sat Jul  1 00:00:00 EDT 2028
[root@rhsm-compat-rhel58 ~]# service rhsmcertd restart
Stopping rhsmcertd                                         [  OK  ]
Starting rhsmcertd 240 1440                                [  OK  ]
[root@rhsm-compat-rhel58 ~]# openssl x509 -text -in /etc/pki/consumer/cert.pem | grep -A2 Validity
        Validity
            Not Before: Jul  1 04:01:12 2028 GMT
            Not After : Jul  1 04:01:12 2044 GMT
^^^ VERIFIED PROBLEM 2: When the rhsmcertd service checked in with the server within 90 days of the consumer cert's expiration, an updated consumer cert was generated by the candlepin server, installed on the client, and is now valid for the next 16 years. Here is some addition logging from the rhsm.log showing the automatically updated/written consumer...
2028-07-01 00:01:19,466 [DEBUG]  @certlib.py:172 - identity certificate changed, writing new one
2028-07-01 00:01:19,468 [INFO]  @managerlib.py:72 - Consumer created: {'consumer_name': 'rhsm-compat-rhel58.usersys.redhat.com', 'uuid': 'a1e34202-10de-41d9-b81c-17f36eea98c0'}

Note that PROBLEM 3 will no longer happen in real-time because the rhsmcertd certFrequency is checking in with the server every 240 min (default) which will occur within 90 days of the consumer cert's expiration.  The only trouble will be if the client is shutdown for the 90 day period before the consumer cert expires.  In this case, see comment 5 for the Manual Solution to regenerate the identity cert. 

Moving to VERIFIED
Comment 9 errata-xmlrpc 2012-07-13 00:35:11 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1074.html

Note You need to log in before you can comment on or make changes to this bug.