Bug 855904 - Document how to update nss-db-gen generated certificates
Document how to update nss-db-gen generated certificates
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
high Severity unspecified
: ---
: 2.1.1
Assigned To: Julie
Dan Macpherson
Depends On:
  Show dependency treegraph
Reported: 2012-09-10 11:02 EDT by James Slagle
Modified: 2016-02-18 00:40 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-04 00:09:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description James Slagle 2012-09-10 11:02:23 EDT
The certs generated when nss-db-gen is run, both the qpid CA and qpid client cert are hardcoded to expire after one year.  You can no longer sync CDS's after the certs expire as the CDS's will fail connecting to qpid running on the RHUA.
Comment 1 wes hayutin 2012-09-10 11:39:55 EDT
nss-db-gen uses the certutil command which has the option "-v"  to specify the number of months the cert will be valid.
The nss-db-gen script has a variable "VALID" which currently defaults to "12" , 12 months.  So it seems we can easily fix this, or maybe even doc the issue.

The option defaults to three months, so certs will expire after creation 12 + 3 months after they are created.


-v valid-months

Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the -w option. If this argument is not used, the default validity period is three months. When this argument is used, the default three-month period is automatically added to any value given in the valid-month argument. For example, using this option to set a value of 3 would cause 3 to be added to the three-month default, creating a validity period of six months. You can use negative values to reduce the default period. For example, setting a value of -2 would subtract 2 from the default and create a validity period of one month.
Comment 2 James Slagle 2012-11-09 14:54:57 EST
What we need to do for this bug is provide the kbase article as input to our docs team to include in the documentation.
Comment 3 James Slagle 2012-11-09 14:55:42 EST
technical material will be forthcoming
Comment 5 James Slagle 2013-02-13 08:11:21 EST
Both those kbase articles show pretty much the same thing, but let's use this one:

I would think this would need to be in a new section in the Admin guide.
Comment 7 James Slagle 2013-02-20 07:52:25 EST
Just running nss-db-gen does not install the generated certificates on the RHUA and CDS systems, so in procedure 7.2, we also need to add the steps to run rhui-installer and then install the generated rpm's.

In the KBase article it's the steps that say:
* Use rhui-installer and config rpms to update and distribute the new qpid certificates across the RHUI environment. 

* Execute rhui-installer using the updated answers file. Again the only thing we updated in the answers file was the version. This will re-copy the updated qpid certificates to the RHUA and CDS's in the environment

* Distribute the updated config rpm's to the CDS's and install on the RHUA and CDS servers
Comment 8 Dan Macpherson 2013-02-21 10:57:59 EST
Added additional instructions and re-spinning the book.
Comment 10 Dan Macpherson 2013-03-04 00:09:12 EST
Verified and closing bug as this has been released.

Note You need to log in before you can comment on or make changes to this bug.