Bug 1277691
| Summary: | ipa-cacert-manage renew failed with validity out of range | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Xiyang Dong <xdong> | ||||
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.2 | CC: | arubin, cfu, edewata, enewland, jcholast, ksiddiqu, mharmsen, mkolaja, mkosek, nkinder, nsoman, rcritten, snagar, spoore, xdong | ||||
| Target Milestone: | rc | Keywords: | TestBlocker, ZStream | ||||
| Target Release: | 7.3 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pki-core-10.3.1-1.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
The certificate validity was calculated incorrectly in case of a daylight saving time change in the validity period. Consequently, the "ipa-cacert-manage renew" command could fail with a validity error. With this update, the CA Validity Default has been modified to use Calendar API, which calculates the certificate validity range consistently with the Validity Constraint and Validity Default. As a result, a CA certificate is successfully renewed in this scenario.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 1308854 1310200 (view as bug list) | Environment: | |||||
| Last Closed: | 2016-11-04 05:20:08 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1308854, 1310200 | ||||||
| Attachments: |
|
||||||
|
Description
Xiyang Dong
2015-11-03 20:28:31 UTC
Needs to be first investigated within "ipa" component. This might be caused by mismatching time zones (i.e. EST vs. EDT) in the certificate validity range. Please try the workaround mentioned in this ticket: https://fedorahosted.org/pki/ticket/1682 If it fixes the problem, please assign the ticket back to pki-core. Thanks. I was not able to reproduce this with: certmonger-0.78.4-1.el7.x86_64 ipa-server-4.2.0-15.el7.x86_64 pki-ca-10.2.5-6.el7.noarch My guess is that this was caused by DST. For the record, IPA explicitly requests the validity not to be checked on the CA certificate by setting bypassCAnotafter=true in the certificate request approval options. Waiting on reporter's reply, when Comment 5 is confirmed. I don't have access to the machine I tested on anymore since it's returned to beaker. When I get a new machine, timezone is EST and ipa-cacert-manage renew works. IS there any way I can change to EDT and try the workaround? I can see in /var/log/pki/pki-tomcat/ca/debug on my system that the bypassCAvalidity=true option is properly passed to the CA, which means it should not check the validity, so this is not a IPA bug. Changing the component back to pki-core. where was the bypassCAnotafter=true set? Is this the same issue reported in: https://bugzilla.redhat.com/show_bug.cgi?id=1150031 ? If so, please look in the bug for workaround on how to set bypassCAnotafter=true properly. The time zone issue is separate though. Per discussions in the RHEL 7.3 Triage meeting of 01/06/2016: priority medium Upstream ticket: https://fedorahosted.org/pki/ticket/1721 Setting bypassCAnotafter to true will allow the new cert validity end date to go beyond the CA validity end date, and setting it to false will cause it not to go beyond the CA validity end date, but either way the parameter does not cause the renewal request to be rejected. The rejection is actually caused by cert validity calculation bug as described in in PKI ticket #1682 (https://fedorahosted.org/pki/ticket/1682). Created attachment 1118564 [details]
pki-core-Fixed-mismatching-certificate-validity-calculation.patch
The problem has been fixed in master:
* 9193fe5191d1bd857b7e1f5a398c6a279b42ec84
Steps to verify: 1. Change the system date such that the CA certificate validity starts in standard time and ends in daylight saving time, for example: $ timedatectl set-time 2015-10-26 2. Install IPA and verify the CA cert validity starts in standard time and ends in daylight saving time, for example: $ pki cert-find Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,O=EXAMPLE Status: VALID Type: X.509 version 3 Key Algorithm: PKCS #1 RSA with 2048-bit key Not Valid Before: Mon Oct 26 00:02:38 CET 2015 Not Valid After: Fri Oct 26 01:02:38 CEST 2035 Issued On: Mon Oct 26 00:02:38 CET 2015 Issued By: system 3. Request a new CA certificate (or request a renewal), for example: $ pki -c Secret123 client-init $ pki -c Secret123 client-cert-request "cn=Certificate Authority" --profile caCACert The "Request Status" should now show "pending" instead of "rejected". Comment on attachment 1118564 [details] pki-core-Fixed-mismatching-certificate-validity-calculation.patch (1) Setup RHEL 7.2 VM, installed IPA, and ran procedure in Comment #15; received 'Request Status: rejected'. (2) Updated pki packages that had been built with this patch, and re-ran 'pki -c Secret123 client-cert-request "cn=Certificate Authority" --profile caCACert': ----------------------------- Submitted certificate request ----------------------------- Request ID: 12 Type: enrollment Request Status: pending Operation Result: success pki-core-Fixed-mismatching-certificate-validity-calculation.patch:
Since this particular ticket is for RHEL 7.3 (awaiting a request for the RHEL 7.2 Z-Stream ticket), I checked and pushed this patch into the RHEL 7.3 Brew branch (but did not build since RHEL 7.3 will be based upon Dogtag 10.3 rather than 10.2.5) to allow this bug to be moved to MODIFIED:
commit 198b10b9eb3eb72f80fc7dd523ed74ef1303d4f5
Author: Matthew Harmsen <mharmsen>
Date: Wed Feb 3 18:34:47 2016 -0700
Resolves: rhbz #1277691
- Bugzilla Bug #1277691 - ipa-cacert-manage renew failed with validity
out of range [edewata]
Pushed to DOGTAG_10_2_RHEL_BRANCH:
commit 66c2a8d2b0d953b6dcec2a8ccefff689277cea2f
Author: Endi S. Dewata <edewata>
Date: Sun Dec 20 21:46:56 2015 +0100
Fixed mismatching certificate validity calculation.
The CAValidityDefault has been modified to use Calendar API to
calculate the certificate validity range to be consistent with
the ValidityConstraint and ValidityDefault.
https://fedorahosted.org/pki/ticket/1682
(cherry picked from commit 05ee3265165f93b357ed17b47fe3f62f9b67ae8b)
NOTE: This patch is also contained in the 'master', and will be overwritten
when the re-base to 10.3.0 is performed.
(In reply to Matthew Harmsen from comment #20) > pki-core-Fixed-mismatching-certificate-validity-calculation.patch: > > > Since this particular ticket is for RHEL 7.3 (awaiting a request for the > RHEL 7.2 Z-Stream ticket), I checked and pushed this patch into the RHEL 7.3 > Brew branch (but did not build since RHEL 7.3 will be based upon Dogtag 10.3 > rather than 10.2.5) to allow this bug to be moved to MODIFIED: > > > commit 198b10b9eb3eb72f80fc7dd523ed74ef1303d4f5 > Author: Matthew Harmsen <mharmsen> > Date: Wed Feb 3 18:34:47 2016 -0700 > > Resolves: rhbz #1277691 > > - Bugzilla Bug #1277691 - ipa-cacert-manage renew failed with validity > out of range [edewata] Moving back from MODIFIED --> POST Verified on pki-ca-10.3.3-10.el7 ,ipa-server-4.4.0-11.el7 : [root@cloud-qe-14 ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20160919154756': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2018-09-09 15:47:36 UTC Request ID '20160919154757': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2018-09-09 15:47:34 UTC Request ID '20160919154758': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2018-09-09 15:47:35 UTC Request ID '20160919154759': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2036-09-19 15:47:31 UTC Request ID '20160919154800': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2018-09-09 15:47:53 UTC Request ID '20160919154801': status: MONITORING subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST expires: 2018-09-09 15:47:35 UTC Request ID '20160919154815': status: MONITORING subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST expires: 2018-09-20 15:48:15 UTC Request ID '20160919154837': status: MONITORING subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST expires: 2018-09-20 15:48:37 UTC [root@cloud-qe-14 ~]# date -s "710 day" Fri Aug 31 09:40:04 EDT 2018 [root@cloud-qe-14 ~]# ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful You have new mail in /var/spool/mail/root [root@cloud-qe-14 ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20160919154756': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2020-08-20 13:40:27 UTC Request ID '20160919154757': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2020-08-20 13:40:17 UTC Request ID '20160919154758': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2020-08-20 13:40:57 UTC Request ID '20160919154759': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2038-08-31 13:40:18 UTC Request ID '20160919154800': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2020-08-20 13:40:37 UTC Request ID '20160919154801': status: MONITORING subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST expires: 2020-08-20 13:40:14 UTC Request ID '20160919154815': status: MONITORING subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST expires: 2020-08-31 13:40:35 UTC Request ID '20160919154837': status: MONITORING subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST expires: 2020-08-31 13:40:25 UTC [root@cloud-qe-14 ~]# cat /var/log/pki/pki-tomcat/ca/debug | grep "Validity Out of Range" [root@cloud-qe-14 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |