Bug 1286651

Summary: IPA certificate auto renewal fail with SSL_ERROR_EXPIRED_CERT_ALERT
Product: Red Hat Enterprise Linux 7 Reporter: Abhijeet Kasurde <akasurde>
Component: ipaAssignee: Petr Vobornik <pvoborni>
Status: CLOSED INSUFFICIENT_DATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: akasurde, frenaud, pvoborni, rcritten
Target Milestone: rcFlags: akasurde: needinfo-
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-12 17:32:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
getcert_console.log
none
PKI_CA_LOG
none
console.log none

Description Abhijeet Kasurde 2015-11-30 12:10:03 UTC 
Created attachment 1100493 [details]
getcert_console.log

Description of problem:
While verifying BZ1277696 encountered following error 

[root@dhcp201-135 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"

<snip>
Request ID '20151130092850':
	status: CA_UNREACHABLE
	ca-error: Server at https://dhcp201-135.testrelm.test/ipa/xml failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https://dhcp201-135.testrelm.test:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
	subject: CN=dhcp201-135.testrelm.test,O=TESTRELM.TEST
	expires: 2025-09-07 11:07:45 UTC

</snip>

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.3.x86_64


Steps to Reproduce:
1. Install IPA server
2. Change system date closer to expire date 
3. check "getcert list" output
Comment 1 Abhijeet Kasurde 2015-11-30 12:10:48 UTC 
Created attachment 1100494 [details]
PKI_CA_LOG
Comment 2 Petr Vobornik 2015-12-07 21:52:59 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5522
Comment 3 Petr Vobornik 2017-04-06 16:39:12 UTC 
I'm considering to close this bug. Is it still present?
Comment 4 Abhijeet Kasurde 2017-04-07 06:21:44 UTC 
(In reply to Petr Vobornik from comment #3)
> I'm considering to close this bug. Is it still present?

I am able reproduce this issue on IPA version :: ipa-server-4.5.0-5.el7.x86_64


Please find the attachment for console.log.
Comment 5 Abhijeet Kasurde 2017-04-07 06:23:41 UTC 
Created attachment 1269572 [details]
console.log