Red Hat Bugzilla – Bug 855904
Document how to update nss-db-gen generated certificates
Last modified: 2016-02-18 00:40:13 EST
The certs generated when nss-db-gen is run, both the qpid CA and qpid client cert are hardcoded to expire after one year. You can no longer sync CDS's after the certs expire as the CDS's will fail connecting to qpid running on the RHUA.
nss-db-gen uses the certutil command which has the option "-v" to specify the number of months the cert will be valid.
The nss-db-gen script has a variable "VALID" which currently defaults to "12" , 12 months. So it seems we can easily fix this, or maybe even doc the issue.
The option defaults to three months, so certs will expire after creation 12 + 3 months after they are created.
Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the -w option. If this argument is not used, the default validity period is three months. When this argument is used, the default three-month period is automatically added to any value given in the valid-month argument. For example, using this option to set a value of 3 would cause 3 to be added to the three-month default, creating a validity period of six months. You can use negative values to reduce the default period. For example, setting a value of -2 would subtract 2 from the default and create a validity period of one month.
What we need to do for this bug is provide the kbase article as input to our docs team to include in the documentation.
technical material will be forthcoming
Both those kbase articles show pretty much the same thing, but let's use this one:
I would think this would need to be in a new section in the Admin guide.
Just running nss-db-gen does not install the generated certificates on the RHUA and CDS systems, so in procedure 7.2, we also need to add the steps to run rhui-installer and then install the generated rpm's.
In the KBase article it's the steps that say:
* Use rhui-installer and config rpms to update and distribute the new qpid certificates across the RHUI environment.
* Execute rhui-installer using the updated answers file. Again the only thing we updated in the answers file was the version. This will re-copy the updated qpid certificates to the RHUA and CDS's in the environment
* Distribute the updated config rpm's to the CDS's and install on the RHUA and CDS servers
Added additional instructions and re-spinning the book.
Verified and closing bug as this has been released.