Bug 1040018
Summary: | Automatic CA subsystem certificate renewal is broken on CA clones | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | mkosek, rcritten, spoore |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.3.3-10.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 1040009 | Environment: | |
Last Closed: | 2014-06-13 10:48:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1040009, 1049532 | ||
Bug Blocks: |
Description
Dmitri Pal
2013-12-10 14:08:56 UTC
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/1357eade4c5086e6c837a49f3008616317f88e5f ipa-3-3: https://fedorahosted.org/freeipa/changeset/854dbb8ff9e898b289c9464567f141421880a050 It was found out that PKI service did not start properly after the renewal, this is being solved upstream: https://fedorahosted.org/freeipa/ticket/4092 Ticket 4092 was fixed upstream: master: 911f5e9eb76099f8e5cfcff1232c1b10ad05b45a ipa-3-3: edccf59d8018349bc3596e017a660dcb83034932 Linking to related SELinux issue preventing renewal with enforced SELinux - Bug 1049532. Martin, Does this have to be verified on an IPA Replica with CA installed or can it be verified on an IPA "Master" (single server environment)? Is it enough to do a getcert resubmit and confirm the expiration or do we need to go all the way to change the date and watch the auto-renewal system resubmit? Thanks, Scott Scott, needs another master to fully test this, along with switching dates, etc. Only one master does the actual renewal. It stuffs the result into LDAP which the other masters get the updated certificates from. It is this process that was going sideways. ASCII garbage was being included when we fetched the certificate from LDAP and provided it to certmonger. When you say another master, you mean another IPA server created with --setup-ca for the same domain? Correct. The renewal is done differently on the master initiating the renewal and the other masters and this bug presented on the other masters. Verified. Version :: ipa-server-3.3.3-17.el7.x86_64 Results :: resubmit test: [root@master ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211000124': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='906281234271' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2016-02-01 00:00:45 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes [root@replica1 ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211143326': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='480267000059' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2016-02-01 00:00:45 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" track: yes auto-renew: yes [root@master ~]# getcert resubmit -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Resubmitting "20140211000124" to "dogtag-ipa-renew-agent". ...waited for status to go back to MONITORING... [root@master ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211000124': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='906281234271' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2016-02-01 15:32:03 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes ...Then on replica, run resubmit and check... [root@replica1 ~]# getcert resubmit -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Resubmitting "20140211143326" to "dogtag-ipa-retrieve-agent-submit". ...wait for status to change to MONITORING... [root@replica1 ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211143326': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='480267000059' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2016-02-01 15:32:03 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" track: yes auto-renew: yes ...finally, confirm certs match: [root@replica1 ~]# ssh $MASTER "certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'auditSigningCert cert-pki-ca'" > cert.master root.example.test's password: [root@replica1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'auditSigningCert cert-pki-ca' > cert.replica [root@replica1 ~]# diff cert.master cert.replica [root@replica1 ~]# Now, automatic renewal with time change... This was run after a VM rebuild. ON MASTER: # ipactl stop Stopping Directory Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping httpd Service Stopping ipa_memcached Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service ipa: INFO: The ipactl command was successful # hostname master.ipa1.example.test [root@master ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211161725': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='419558786185' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2016-02-01 16:16:45 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes [root@master ~]# date 010415002016 Mon Jan 4 15:00:00 CST 2016 [root@master ~]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Starting ipa-otpd Service ipa: INFO: The ipactl command was successful ON REPLICA: # ipactl stop Stopping Directory Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping httpd Service Stopping ipa_memcached Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service [root@replica1 ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211164557': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='288546002948' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2016-02-01 16:16:45 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" track: yes auto-renew: yes [root@replica1 ~]# date 010415002016 Mon Jan 4 15:00:00 CST 2016 [root@replica1 ~]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Starting ipa-otpd Service ipa: INFO: The ipactl command was successful ON MASTER: [root@master ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211161725': status: NOTIFYING_VALIDITY stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='419558786185' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2016-02-01 16:16:45 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes [root@master ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211161725': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='419558786185' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2017-12-24 21:14:20 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes ON REPLICA: [root@replica1 ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211164557': status: NOTIFYING_VALIDITY stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='288546002948' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2016-02-01 16:16:45 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" track: yes auto-renew: yes [root@replica1 ~]# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca' Number of certificates and requests being tracked: 7. Request ID '20140211164557': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='288546002948' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=IPA1.EXAMPLE.TEST subject: CN=CA Audit,O=IPA1.EXAMPLE.TEST expires: 2017-12-24 21:14:20 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" track: yes auto-renew: yes And to confirm that certs are the same: [root@replica1 ~]# ssh $MASTER "certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'auditSigningCert cert-pki-ca'" > cert.master root.example.test's password: [root@replica1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'auditSigningCert cert-pki-ca' > cert.replica [root@replica1 ~]# diff cert.master cert.replica This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |