Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1166931

Summary: RHEL7.1 ipa automatic CA cert renewal stuck in submitting state
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: Jan Cholasta <jcholast>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: jcholast, mkosek, mnavrati, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-11.el7 Doc Type: Bug Fix
Doc Text:
The following known issue description has been removed from the RHEL 7.1 Beta Release Notes: Due to a bug in the dogtag-ipa-ca-renew-agent certmonger tool renewal mechanism, automatic renewal of the IPA CA certificate can result in an endless request loop. There is no workaround available at the moment.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:15:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1168850    
Attachments:
Description Flags
all of /var/log from vm with issue none

Description Scott Poore 2014-11-22 02:55:48 UTC 
Description of problem:

Automatic CA Cert renewal for self signed IPA is hanging in a submitting state.  

[root@vm4 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20141122001822':
	status: SUBMITTING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='358974620032'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.TEST
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-11-22 00:17:49 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

I walked the time forward to within 6 days of CA expiration and it goes through to this point.  But, certmonger is trying repeatedly to submit and is never getting passed this state.




Version-Release number of selected component (if applicable):

ipa-server-4.1.0-7.el7.x86_64
certmonger-0.75.14-2.el7.x86_64


How reproducible:


Steps to Reproduce:
1.  Install IPA Master
2.  getcert list | grep expires
3.  Change date to closest to let certs expire as expected
4.  getcert list
5.  Check that certs submit and renew
6.  getcert resubmit -i <id>  for any certs that don't submit
7.  repeat until all certs in MONITORING state
8.  change date forward again and repeat until you reach CA cert expiration


Actual results:
stuck in submitting state shown above.  I don't see it go to monitoring state.

Expected results:
cert should change from submitting to monitoring.

Additional info:

[root@vm4 ~]# tail -10 /var/log/messages
Nov 16 01:42:09 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:09 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
Nov 16 01:42:10 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:10 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
Nov 16 01:42:12 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:13 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
Nov 16 01:42:14 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:14 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
Nov 16 01:42:15 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:15 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
Comment 2 Scott Poore 2014-11-22 03:00:09 UTC 
Created attachment 960031 [details]
all of /var/log from vm with issue
Comment 3 Scott Poore 2014-11-22 03:07:27 UTC 
Here's the request info:

[root@vm4 ~]# cat /var/lib/certmonger/requests/20141122001822
id=20141122001822
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_storage_type=NSSDB
key_storage_location=/etc/pki/pki-tomcat/alias
key_token=NSS Certificate DB
key_nickname=caSigningCert cert-pki-ca
key_pin=358974620032
key_pubkey=3082010A0282010100E2B268DDBBB3CBC28A6EED45C317144B3356355EE6E77F4311758DC438BFAB4DBCC78D3B2292D1B8F26A935EB34A638927D01AFF54583431683CD9D8CE9AC79486A49CD4FD4869561ED422080BDEBC2C5A7FDF5AF76B6E4FF4CB881B52DDB482F61BD09E9F155BA24AB23E2CDBB51387E11758358EF41A61737D1AF2E785CAF70109FD89A147DC0CE2CEC13F18E2345930D5B15C78924621749AD9F2C8D38393A325FA4A9C61FE5DCAE1AEFF7F282ADBD4017FE3329FE4A71B4EA7D01F92FA91AB21ECA56B73A5DA400F578B49E4AC4369D6998F762058B926B2D8C5E42F9C5CE1AAD021E25E76C62864F8D2FF5EC130CA65ECC931D923DD1A953F8B5B13516F0203010001
key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100E2B268DDBBB3CBC28A6EED45C317144B3356355EE6E77F4311758DC438BFAB4DBCC78D3B2292D1B8F26A935EB34A638927D01AFF54583431683CD9D8CE9AC79486A49CD4FD4869561ED422080BDEBC2C5A7FDF5AF76B6E4FF4CB881B52DDB482F61BD09E9F155BA24AB23E2CDBB51387E11758358EF41A61737D1AF2E785CAF70109FD89A147DC0CE2CEC13F18E2345930D5B15C78924621749AD9F2C8D38393A325FA4A9C61FE5DCAE1AEFF7F282ADBD4017FE3329FE4A71B4EA7D01F92FA91AB21ECA56B73A5DA400F578B49E4AC4369D6998F762058B926B2D8C5E42F9C5CE1AAD021E25E76C62864F8D2FF5EC130CA65ECC931D923DD1A953F8B5B13516F0203010001
cert_storage_type=NSSDB
cert_storage_location=/etc/pki/pki-tomcat/alias
cert_token=NSS Certificate DB
cert_nickname=caSigningCert cert-pki-ca
cert_issuer_der=303731153013060355040A0C0C4558414D504C452E54455354311E301C06035504030C15436572746966696361746520417574686F72697479
cert_issuer=CN=Certificate Authority,O=EXAMPLE.TEST
cert_serial=01
cert_subject_der=303731153013060355040A0C0C4558414D504C452E54455354311E301C06035504030C15436572746966696361746520417574686F72697479
cert_subject=CN=Certificate Authority,O=EXAMPLE.TEST
cert_spki=30820122300D06092A864886F70D01010105000382010F003082010A0282010100E2B268DDBBB3CBC28A6EED45C317144B3356355EE6E77F4311758DC438BFAB4DBCC78D3B2292D1B8F26A935EB34A638927D01AFF54583431683CD9D8CE9AC79486A49CD4FD4869561ED422080BDEBC2C5A7FDF5AF76B6E4FF4CB881B52DDB482F61BD09E9F155BA24AB23E2CDBB51387E11758358EF41A61737D1AF2E785CAF70109FD89A147DC0CE2CEC13F18E2345930D5B15C78924621749AD9F2C8D38393A325FA4A9C61FE5DCAE1AEFF7F282ADBD4017FE3329FE4A71B4EA7D01F92FA91AB21ECA56B73A5DA400F578B49E4AC4369D6998F762058B926B2D8C5E42F9C5CE1AAD021E25E76C62864F8D2FF5EC130CA65ECC931D923DD1A953F8B5B13516F0203010001
cert_not_before=20141122001749
cert_not_after=20341122001749
cert_ku=1100011
cert_is_ca=1
cert_ca_path_length=-2
cert_ocsp=http://vm4.example.test:80/ca/ocsp
cert_no_ocsp_check=0
last_need_notify_check=20341116061856
last_need_enroll_check=20341116061856
template_subject_der=303731153013060355040A0C0C4558414D504C452E54455354311E301C06035504030C15436572746966696361746520417574686F72697479
template_subject=CN=Certificate Authority,O=EXAMPLE.TEST
template_ku=1100011
template_is_ca=0
template_ca_path_length=0
template_profile=ipaCACertRenewal
template_no_ocsp_check=0
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDETCCAfkCAQAwNzEVMBMGA1UECgwMRVhBTVBMRS5URVNUMR4wHAYDVQQDDBVD
 ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
 AoIBAQDismjdu7PLwopu7UXDFxRLM1Y1Xubnf0MRdY3EOL+rTbzHjTsiktG48mqT
 XrNKY4kn0Br/VFg0MWg82djOmseUhqSc1P1IaVYe1CIIC968LFp/31r3a25P9MuI
 G1LdtIL2G9CenxVbokqyPizbtROH4RdYNY70GmFzfRry54XK9wEJ/YmhR9wM4s7B
 PxjiNFkw1bFceJJGIXSa2fLI04OToyX6Spxh/l3K4a7/fygq29QBf+Myn+SnG06n
 0B+S+pGrIeyla3Ol2kAPV4tJ5KxDadaZj3YgWLkmstjF5C+cXOGq0CHiXnbGKGT4
 0v9ewTDKZezJMdkj3RqVP4tbE1FvAgMBAAGggZQwQQYJKoZIhvcNAQkUMTQeMgBj
 AGEAUwBpAGcAbgBpAG4AZwBDAGUAcgB0ACAAYwBlAHIAdAAtAHAAawBpAC0AYwBh
 ME8GCSqGSIb3DQEJDjFCMEAwDgYDVR0PAQEABAQDAgHGMAwGA1UdEwEB/wQCMAAw
 IAYDVR0OAQEABBYEFCXR+icIicOKX3IIwEON7uRPILrFMA0GCSqGSIb3DQEBCwUA
 A4IBAQA0m9iTmk8XfT9Z1uwR+o2diDZugJd/vRL2GujedVfBb7GV6cbfSpnwFGbi
 KGdNsdtHuKm7447ye2QFcQZ8nw0PBBsAICEfdXERfCFen9LrQukx7c1f4WMUs3Gr
 m6QDWrQqbvHmFxefBcPu4A6Yt1e/2VpKfXtgcGfLEdLrJU/rJIrJx+0+H5sYTC+e
 0sOfqCr53ioxNw49jaxvkg5Q80IppH72K+qAdfBZrsX+XdkU0AxuGa5A0ngmwwK4
 38py9vjdOI1w8aBvuE/2Z5W35yu4AoQ3k6AkVUv2cmNlzyZUoz4fL5aI4LQ79yov
 11xoxpHkL7Ufwm08pD9vJhUZpeng
 -----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDismjdu7PLwopu7UXDFxRLM1Y1Xubnf0MRdY3EOL+rTbzHjTsiktG48mqTXrNKY4kn0Br/VFg0MWg82djOmseUhqSc1P1IaVYe1CIIC968LFp/31r3a25P9MuIG1LdtIL2G9CenxVbokqyPizbtROH4RdYNY70GmFzfRry54XK9wEJ/YmhR9wM4s7BPxjiNFkw1bFceJJGIXSa2fLI04OToyX6Spxh/l3K4a7/fygq29QBf+Myn+SnG06n0B+S+pGrIeyla3Ol2kAPV4tJ5KxDadaZj3YgWLkmstjF5C+cXOGq0CHiXnbGKGT40v9ewTDKZezJMdkj3RqVP4tbE1FvAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEA1X0Pyj+C598GbOhf8+nOx4NNkmYz+IQ35fOV+17BK9yyQYWnErv1DkkaNIOq9hNcxTZaZw4usrBrZcNac537YiSj7MqD6Q5oFxBTSSRb9GM6vCwtR58+s32JT3PhxqQuSmi7mAC2qt7eHAeg+521/+aDdXBy/wDExVfTV26Txrfrzx5UkgNWrA0ECWyaX8Hr8rc7+ZfMpUUJIRFN+BRGIWE9JEEarYNfxFrWUsc6Y+i7iH3NMQ+a5pcSnywdgWFdXycoqhY7hlmmhKXtFWrPEGXVhpXa+efnT9pXldLG9nVatRbuUATCmMlcqIBYgfdx1dTRVO/Kr5vWg9VOsHfXSQ==
state=SUBMITTING
autorenew=1
monitor=1
ca_name=dogtag-ipa-ca-renew-agent
submitted=20341116081303
ca_cookie={"profile": "caCACert", "cookie": "request:{\"profile\": \"caCACert\", \"cookie\": \"request:{\\\"profile\\\": \\\"caCACert\\\", \\\"cookie\\\": \\\"state=approve&requestId=4268\\\"}\"}"}
cert=-----BEGIN CERTIFICATE-----
 MIIDjjCCAnagAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFN
 UExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNDEx
 MjIwMDE3NDlaFw0zNDExMjIwMDE3NDlaMDcxFTATBgNVBAoMDEVYQU1QTEUuVEVT
 VDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B
 AQEFAAOCAQ8AMIIBCgKCAQEA4rJo3buzy8KKbu1FwxcUSzNWNV7m539DEXWNxDi/
 q028x407IpLRuPJqk16zSmOJJ9Aa/1RYNDFoPNnYzprHlIaknNT9SGlWHtQiCAve
 vCxaf99a92tuT/TLiBtS3bSC9hvQnp8VW6JKsj4s27UTh+EXWDWO9Bphc30a8ueF
 yvcBCf2JoUfcDOLOwT8Y4jRZMNWxXHiSRiF0mtnyyNODk6Ml+kqcYf5dyuGu/38o
 KtvUAX/jMp/kpxtOp9AfkvqRqyHspWtzpdpAD1eLSeSsQ2nWmY92IFi5JrLYxeQv
 nFzhqtAh4l52xihk+NL/XsEwymXsyTHZI90alT+LWxNRbwIDAQABo4GkMIGhMB8G
 A1UdIwQYMBaAFCXR+icIicOKX3IIwEON7uRPILrFMA8GA1UdEwEB/wQFMAMBAf8w
 DgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQl0fonCInDil9yCMBDje7kTyC6xTA+
 BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly92bTQuZXhhbXBsZS50
 ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKTuz4N3D9eeQETNryQ2
 CyP/WcxZqFfFe1nLLGmLdl+aGph6b0VYy7c7QT8NqdIi163iaodx4ayF14EKGun7
 X4S76bIXKlp3qLEGJr0rduuohF/sOIdBFgvMkmolieyofLsIREabEZxXQGgNIHWv
 WwUZ+V+C1MFfDl3gc6jogy5mpUNbjg3ro8uOgwB2gYmojHuKAnsovZu64F5YlKsi
 MGYldwfMe7k/tE4SfZgLv98m4ogdT9ykm4MBzcfo4wmOQFrnInmquqJ6pyZ0+rzU
 oSGsasYJHza31GUv73a6MRJIRhJg4IHEFlGw1rUwKJ731xAoTTH82rRZK79bUdNr
 hOk=
 -----END CERTIFICATE-----
 
pre_certsave_command=/usr/lib64/ipa/certmonger/stop_pkicad
pre_certsave_uid=0
post_certsave_command=/usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
post_certsave_uid=0
Comment 4 Scott Poore 2014-11-22 03:19:28 UTC 
FYI, if I run ipa-cacert-manage renew, it does renew and set expiration on new cert as expected.
Comment 5 Jan Cholasta 2014-11-25 08:07:28 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4765
Comment 9 Petr Vobornik 2014-12-09 12:08:51 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/423c3e8f34d6ae6655c3b82c4e5a18caf1e63a49
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/9bfb16c22043d714b8227567600f94345c40cad6
Comment 11 Scott Poore 2014-12-11 20:56:44 UTC 
Verified.

Version ::
ipa-server-4.1.0-12.el7.x86_64

Results ::

This one took some work to walk the time in to almost the point where the CA was fully expired.  I had difficulty verifying this one because of bug #1173207 where certs wouldn't properly autorenew simultaneously.  

I was able to get this though.  During renewal cycle:

[root@vm2 ca]# getcert list -i 20141211192147
Number of certificates and requests being tracked: 8.
Request ID '20141211192147':
	status: SUBMITTING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='563139244575'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.TEST
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

And it renewed without forcing with resubmit.

[root@vm2 ca]# getcert list -i 20141211192147
Number of certificates and requests being tracked: 8.
Request ID '20141211192147':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='563139244575'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.TEST
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2054-12-09 22:30:05 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes


.... and the results to get there:


[root@vm2 ca]# date 120916302034
Sat Dec  9 16:30:00 CST 2034

[root@vm2 ca]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error"
Sat Dec  9 22:30:01 UTC 2034
Request ID '20141211192144':
	status: NOTIFYING_VALIDITY
	ca-error: Internal error: no response to "http://vm2.example.test:8080/ca/ee/ca/displayCertFromRequest?requestId=128&importCert=true&xml=true".
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192145':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192146':
	status: NOTIFYING_VALIDITY
	ca-error: Internal error: no response to "http://vm2.example.test:8080/ca/ee/ca/displayCertFromRequest?requestId=130&importCert=true&xml=true".
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192147':
	status: NOTIFYING_VALIDITY
	ca-error: Internal error: no response to "http://vm2.example.test:8080/ca/ee/ca/displayCertFromRequest?requestId=132&importCert=true&xml=true".
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192148':
	status: NOTIFYING_VALIDITY
	ca-error: Internal error: no response to "http://vm2.example.test:8080/ca/ee/ca/displayCertFromRequest?requestId=129&importCert=true&xml=true".
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192149':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192150':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192212':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC

[root@vm2 ca]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error"
Sat Dec  9 22:30:03 UTC 2034
Request ID '20141211192144':
	status: SUBMITTING
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192145':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192146':
	status: SUBMITTING
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192147':
	status: SUBMITTING
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192148':
	status: SUBMITTING
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192149':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192150':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192212':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC

[root@vm2 ca]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error"
Sat Dec  9 22:30:45 UTC 2034
Request ID '20141211192144':
	status: MONITORING
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192145':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192146':
	status: NEED_TO_SAVE_CERT
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192147':
	status: NEED_TO_SAVE_CERT
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192148':
	status: NEED_TO_SAVE_CERT
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192149':
	status: NEED_TO_SAVE_CERT
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192150':
	status: SUBMITTING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192212':
	status: SUBMITTING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC

[root@vm2 ca]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error"
Sat Dec  9 22:31:20 UTC 2034
Request ID '20141211192144':
	status: MONITORING
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192145':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192146':
	status: NEED_TO_SAVE_CERT
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192147':
	status: MONITORING
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2054-12-09 22:30:05 UTC
Request ID '20141211192148':
	status: NEED_TO_SAVE_CERT
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192149':
	status: NEED_TO_SAVE_CERT
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192150':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192212':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Comment 13 errata-xmlrpc 2015-03-05 10:15:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html