Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1601959

Summary: IPA certificate auto renewal failed at CA_UNREACHABLE
Product: Red Hat Enterprise Linux 7 Reporter: Xiyang Dong <xdong>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-17 15:09:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log
none
/var/log/pki/pki-tomcat/ca/debug
none
/var/log/messages
none
audit2why
none
ausearch none

Description Xiyang Dong 2018-07-17 14:42:24 UTC 
Description of problem:
IPA certificate auto renewal failed at CA_UNREACHABLE 

Version-Release number of selected component (if applicable):
# rpm -qa ipa-server certmonger selinux-policy
selinux-policy-3.13.1-207.el7.noarch
certmonger-0.78.4-6.el7.x86_64
ipa-server-4.6.4-2.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1.Install ipa sever
2.Change date to close to cert expiration
3.Sleep 15 mins
4.Check cert status

Actual results:
Autorenew cert failed at: 
	status: CA_UNREACHABLE
	ca-error: Internal error
Expected results:
Certs renewed successfully
Additional info:
# date
Tue Jul 17 10:09:49 EDT 2018
# kinit admin
Password for admin:
# ipa cert-show 1
  Issuing CA: ipa
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwNzE3MTQwNTM5WhcNMzgwNzE3MTQwNTM5WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXDeU1uGzxAbbXVW2KTGbDRm9bNChhSf7OB9qCVpdfWXAXYWcL7eHoONhaiDUS6wWEAgYMgZ7PS8KrC/IfXDmdsf2jj3nd08QhfFAZ/skC882aqCR44ej4AhU+O7Jc7o17ot+GE6hJ7HNzq4HLz7KPtIgQzsfqvEZtCoylfrH6hGfyTpq9wxDcKMk31H4Z+m53fkC+P/8zUMq4VV33ahC9tL8KZ+Va33/pWVavwkyvU9hud6JRLGqvYM/x864GKS8Zhi0/0HXHi8hadBEHKfRc047N6FllV82I44MaY7YFkMe8O+85ZPvSe/VspTHSP+IeOI3/ympPH4YmXktBERZvAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUUdKXhJI720fLsuCtfKW4ToMa8pkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFFHSl4SSO9tHy7LgrXyluE6DGvKZMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAFWE20Jgm9GD99mUPgDfYt3wbddefuGW/QtNMw6GQSg6epUJZT786oBfaHv6AeTibLivATutVoSNd2alX6vOAKirmUkeCkw6LQ9yWr57NeSCH1kQbVZS6OT8AvKViE3D6lONS1vPNHClv1El7FC46lPi0UrWEWy18s/xCrkiDCnkmwxdp3bndIvTFEMQ7WZlVIKTEG3/9syE2D7KZHHSh648I0d3pL/psr4XdWB3T9VbZituV4kdQd6koXF7z/ktiHctGizf+SaMzOrFzHtmVji9zLI6TQbEyrEA7jqaSnc6kYN0JEcHyDy9p394+WiX7QaPR6sgdxiL747wFB6Ngi0=
  Subject: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Jul 17 14:05:39 2018 UTC
  Not After: Sat Jul 17 14:05:39 2038 UTC
  Serial number: 1
  Serial number (hex): 0x1
  Revoked: False
# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20180717140559':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:59 UTC
Request ID '20180717140613':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140614':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140615':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140616':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2038-07-17 14:05:39 UTC
Request ID '20180717140617':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140631':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-17 14:06:31 UTC
Request ID '20180717140655':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-17 14:06:55 UTC
Request ID '20180717140706':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-17 14:07:07 UTC
# date -s "715 days";sleep 900;date
Wed Jul  1 10:10:29 EDT 2020
Wed Jul  1 10:25:29 EDT 2020
# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20180717140559':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:59 UTC
Request ID '20180717140613':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140614':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140615':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140616':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2038-07-17 14:05:39 UTC
Request ID '20180717140617':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140631':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2022-07-02 14:22:50 UTC
Request ID '20180717140655':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2022-07-02 14:22:40 UTC
Request ID '20180717140706':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2022-07-02 14:22:30 UTC
# kinit admin
Password for admin: 
Password expired.  You must change it now.
Enter new password: 
Enter it again:
# ipa cert-show 1
  Issuing CA: ipa
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwNzE3MTQwNTM5WhcNMzgwNzE3MTQwNTM5WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXDeU1uGzxAbbXVW2KTGbDRm9bNChhSf7OB9qCVpdfWXAXYWcL7eHoONhaiDUS6wWEAgYMgZ7PS8KrC/IfXDmdsf2jj3nd08QhfFAZ/skC882aqCR44ej4AhU+O7Jc7o17ot+GE6hJ7HNzq4HLz7KPtIgQzsfqvEZtCoylfrH6hGfyTpq9wxDcKMk31H4Z+m53fkC+P/8zUMq4VV33ahC9tL8KZ+Va33/pWVavwkyvU9hud6JRLGqvYM/x864GKS8Zhi0/0HXHi8hadBEHKfRc047N6FllV82I44MaY7YFkMe8O+85ZPvSe/VspTHSP+IeOI3/ympPH4YmXktBERZvAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUUdKXhJI720fLsuCtfKW4ToMa8pkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFFHSl4SSO9tHy7LgrXyluE6DGvKZMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAFWE20Jgm9GD99mUPgDfYt3wbddefuGW/QtNMw6GQSg6epUJZT786oBfaHv6AeTibLivATutVoSNd2alX6vOAKirmUkeCkw6LQ9yWr57NeSCH1kQbVZS6OT8AvKViE3D6lONS1vPNHClv1El7FC46lPi0UrWEWy18s/xCrkiDCnkmwxdp3bndIvTFEMQ7WZlVIKTEG3/9syE2D7KZHHSh648I0d3pL/psr4XdWB3T9VbZituV4kdQd6koXF7z/ktiHctGizf+SaMzOrFzHtmVji9zLI6TQbEyrEA7jqaSnc6kYN0JEcHyDy9p394+WiX7QaPR6sgdxiL747wFB6Ngi0=
  Subject: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Jul 17 14:05:39 2018 UTC
  Not After: Sat Jul 17 14:05:39 2038 UTC
  Serial number: 1
  Serial number (hex): 0x1
  Revoked: False
Comment 2 Xiyang Dong 2018-07-17 14:51:53 UTC 
Created attachment 1459441 [details]
/var/log/audit/audit.log
Comment 3 Xiyang Dong 2018-07-17 14:52:37 UTC 
Created attachment 1459442 [details]
/var/log/pki/pki-tomcat/ca/debug
Comment 4 Xiyang Dong 2018-07-17 14:53:09 UTC 
Created attachment 1459443 [details]
/var/log/messages
Comment 5 Xiyang Dong 2018-07-17 14:54:08 UTC 
Created attachment 1459444 [details]
audit2why
Comment 6 Xiyang Dong 2018-07-17 14:54:32 UTC 
Created attachment 1459445 [details]
ausearch
Comment 7 Rob Crittenden 2018-07-17 15:09:10 UTC 

*** This bug has been marked as a duplicate of bug 1596161 ***