Bug 1178128

Summary: IPA externally signed CA cert expiration warning missing from log
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: jcholast, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-14.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:19:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2015-01-02 13:56:02 UTC 
Description of problem:

When IPA server's externally signed CA cert is about to expire, I'd expect to see a message in /var/log/messages.  I walked the server's time slowly from 4 weeks out to the expiration time an never saw a message.  All I saw was getcert change:

[root@rhel7-9 log]# getcert list -i 20141216222410
Number of certificates and requests being tracked: 8.
Request ID '20141216222410':
        status: MONITORING
        ca-error: Updated certificate not available
        stuck: no
        key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='285787707402'
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Primary Fake CA,O=fakerealm1
        subject: CN=Certificate Authority,O=EXAMPLE.COM
        expires: 2019-12-16 22:21:55 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


Version-Release number of selected component (if applicable):
ipa-server-4.1.0-13.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Start IPA server install requiring externally signed CA:

ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a Secret123 -p Secret123 --external-ca -U

2.  Setup Fake external CA for signing

SERNUM=$RANDOM

SERNUM=$(( SERNUM += 1 ))
echo -e "y\n10\ny\n" | \
certutil -S -d . \
    -n RootCA \
    -s "CN=MyRootCA, O=fakerealm1" \
    -x \
    -t "CTu,CTu,CTu" \
    -g 2048 \
    -m $SERNUM\
    -v 60 \
    -z /etc/group \
    -2 \
    --keyUsage certSigning \
    --nsCertType sslCA,smimeCA,objectSigningCA \
    -f mypass1

3.  Sign IPA CSR and export fake CA cert

SERNUM=$(( SERNUM += 1 ))
echo -e "y\n10\ny\n" | \
certutil -C -d . \
    -c RootCA \
    -m $SERNUM \
    -v 60 \
    -2 \
    --keyUsage digitalSignature,nonRepudiation,certSigning \
    --nsCertType sslCA,smimeCA,objectSigningCA \
    -i /root/ipa.csr \
    -o /root/ipa.crt \
    -f mypass1 \
    -a

certutil -L -d . -n "RootCA" -a >> /root/ipacacert.asc

4.  Finish IPA install 

cd  /root

ipa-server-install --setup-dns --forwarder=192.168.122.1 \
    -r EXAMPLE.TEST -a Secret123 -p Secret123 \
    --external-cert-file=/root/ipa.crt \
    --external-cert-file=/root/ipacacert.asc -U

5.  Walk time forward with date command while making sure certs expire

date <soonest_expiration_minus_4_weeks>
getcert list | egrep "status|expires|Request|subject|ca-error"

6.  When you get within 4 weeks of CA expiring, check /var/log/messages for message

grep "IPA CA certificate is about to expire, use ipa-cacert-manage to renew it" /var/log/messages

Actual results:

no warning seen in log

Expected results:

Should see:
"IPA CA certificate is about to expire, use ipa-cacert-manage to renew it" 


Additional info:
Comment 2 Jan Cholasta 2015-01-02 14:25:07 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4820
Comment 3 Jan Cholasta 2015-01-13 17:50:28 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a63df8f3091992e227fe4654977bb91386ce0491
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/818136bab14d5b137943349564a8cc3b31af5afa
Comment 5 Scott Poore 2015-01-14 22:28:13 UTC 
Verified.

Version ::

ipa-server-4.1.0-15.el7.x86_64

Results ::

I installed with external-ca and then walked time forward until it expired.

[root@vm1 ~]# g
Request ID '20150114215735':
	status: SUBMITTING
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215736':
	status: SUBMITTING
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215737':
	status: SUBMITTING
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215738':
	status: MONITORING
	ca-error: Updated certificate not available
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215739':
	status: SUBMITTING
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215740':
	status: MONITORING
	subject: CN=vm1.example.test,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215741':
	status: MONITORING
	subject: CN=vm1.example.test,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215808':
	status: MONITORING
	subject: CN=vm1.example.test,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Thu Dec 19 15:56:49 CST 2019

[root@vm1 ~]# grep "IPA CA certificate is about to expire, use ipa-cacert-manage to renew it" /var/log/messages
Dec 19 15:56:47 vm1 dogtag-ipa-ca-renew-agent-submit: IPA CA certificate is about to expire, use ipa-cacert-manage to renew it
Comment 7 errata-xmlrpc 2015-03-05 10:19:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html