Bug 1173207
Summary: | IPA certs fail to autorenew simultaneouly | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 7.1 | CC: | jcholast, nalin, ovasik, rcritten | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | ipa-4.1.0-14.el7 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-03-05 10:18:57 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Scott Poore
2014-12-11 16:50:20 UTC
Created attachment 967330 [details] pki debug log Unfortunately I had truncated the previous test run debug log. Here's a second run though. [root@vm1 ~]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error" Thu Dec 11 17:00:16 UTC 2014 Request ID '20141211150642': status: MONITORING subject: CN=CA Audit,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150643': status: MONITORING subject: CN=OCSP Subsystem,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150644': status: MONITORING subject: CN=CA Subsystem,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150645': status: MONITORING subject: CN=Certificate Authority,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150646': status: MONITORING subject: CN=IPA RA,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150647': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150648': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150715': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC [root@vm1 ~]# date -u 111315062034 Mon Nov 13 15:06:00 UTC 2034 [root@vm1 ~]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error" Mon Nov 13 15:06:03 UTC 2034 Request ID '20141211150642': status: NOTIFYING_VALIDITY subject: CN=CA Audit,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150643': status: NOTIFYING_VALIDITY subject: CN=OCSP Subsystem,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150644': status: NOTIFYING_VALIDITY subject: CN=CA Subsystem,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150645': status: NOTIFYING_VALIDITY subject: CN=Certificate Authority,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150646': status: NOTIFYING_VALIDITY subject: CN=IPA RA,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150647': status: GENERATING_CSR subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150648': status: GENERATING_CSR subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150715': status: GENERATING_CSR subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC [root@vm1 ~]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error" Mon Nov 13 15:10:25 UTC 2034 Request ID '20141211150642': status: CA_UNREACHABLE ca-error: Internal error subject: CN=CA Audit,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150643': status: CA_UNREACHABLE ca-error: Internal error subject: CN=OCSP Subsystem,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150644': status: CA_UNREACHABLE ca-error: Internal error subject: CN=CA Subsystem,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150645': status: CA_UNREACHABLE ca-error: Internal error subject: CN=Certificate Authority,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150646': status: CA_UNREACHABLE ca-error: Internal error subject: CN=IPA RA,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150647': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://vm1.example.test:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150648': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'EXAMPLE.TEST'. subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Request ID '20141211150715': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'EXAMPLE.TEST'. subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2034-12-11 15:06:02 UTC Created attachment 967331 [details]
all of /var/log
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4803 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6a1304324fe94b17e8dc4a418f90bea028160ace https://fedorahosted.org/freeipa/changeset/b9ae7690489368ead9f4983d386fa210dc265dfa ipa-4-1: https://fedorahosted.org/freeipa/changeset/ff52891615c29adc6b07743f85984d29c1438d38 https://fedorahosted.org/freeipa/changeset/760ebaa6852b12f1d58032b33ef538d9894dc3ef Verified. Version :: ipa-server-4.1.0-15.el7.x86_64 Results :: I setup a self-signed install and walked the time forward incrementally until I reached the CA cert expiration threshold. Starting expirations: [root@vm1 ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20150114194236': status: MONITORING subject: CN=CA Audit,O=EXAMPLE.TEST expires: 2017-01-03 19:42:01 UTC Request ID '20150114194237': status: MONITORING subject: CN=OCSP Subsystem,O=EXAMPLE.TEST expires: 2017-01-03 19:42:01 UTC Request ID '20150114194238': status: MONITORING subject: CN=CA Subsystem,O=EXAMPLE.TEST expires: 2017-01-03 19:42:01 UTC Request ID '20150114194239': status: MONITORING subject: CN=Certificate Authority,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194240': status: MONITORING subject: CN=IPA RA,O=EXAMPLE.TEST expires: 2017-01-03 19:42:35 UTC Request ID '20150114194241': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2017-01-03 19:42:01 UTC Request ID '20150114194242': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2017-01-14 19:42:42 UTC Request ID '20150114194304': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2017-01-14 19:43:03 UTC [root@vm1 ~]# date Wed Jan 14 13:46:08 CST 2015 After walking time forward, I stopped right before the last step forward in time to capture a stable state: [root@vm1 ~]# g Request ID '20150114194236': status: MONITORING subject: CN=CA Audit,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194237': status: MONITORING subject: CN=OCSP Subsystem,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194238': status: MONITORING subject: CN=CA Subsystem,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194239': status: MONITORING subject: CN=Certificate Authority,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194240': status: MONITORING subject: CN=IPA RA,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194241': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194242': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194304': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Thu May 4 22:43:43 CDT 2034 And here I can see it attempts to autorenew everything simultaneously: [root@vm1 ~]# date -u 121919422034 Tue Dec 19 19:42:00 UTC 2034 [root@vm1 ~]# g Request ID '20150114194236': status: NOTIFYING_VALIDITY subject: CN=CA Audit,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194237': status: NOTIFYING_VALIDITY subject: CN=OCSP Subsystem,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194238': status: NOTIFYING_VALIDITY subject: CN=CA Subsystem,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194239': status: NOTIFYING_VALIDITY subject: CN=Certificate Authority,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194240': status: NOTIFYING_VALIDITY subject: CN=IPA RA,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194241': status: GENERATING_CSR subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194242': status: GENERATING_CSR subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194304': status: GENERATING_CSR subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Tue Dec 19 13:42:06 CST 2034 Then wait for a while and check back to see that the CA has renewed and everything is back in MONITORING and nothing fell to CA_UNREACHABLE: [root@vm1 ~]# sleep 180 [root@vm1 ~]# g Request ID '20150114194236': status: MONITORING subject: CN=CA Audit,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194237': status: MONITORING subject: CN=OCSP Subsystem,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194238': status: MONITORING subject: CN=CA Subsystem,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194239': status: MONITORING subject: CN=Certificate Authority,O=EXAMPLE.TEST expires: 2054-12-19 19:43:22 UTC Request ID '20150114194240': status: MONITORING subject: CN=IPA RA,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194241': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194242': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Request ID '20150114194304': status: MONITORING subject: CN=vm1.example.test,O=EXAMPLE.TEST expires: 2035-01-14 19:42:00 UTC Tue Dec 19 13:46:08 CST 2034 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |