Bug 1660877
| Summary: | kinit is failing due to overflow in Root CA certificate's timestamp | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mohammad Rizwan <myusuf> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | abokovoy, cheimes, ftweedal, ksiddiqu, mpolovka, myusuf, pasik, pvoborni, rcritten, rharwood, ssidhaye, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.9.1-1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:47:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Mohammad Rizwan
2018-12-19 13:31:00 UTC
I added a link to https://pagure.io/freeipa/issue/7827 FreeIPA issue to cap the root CA lifetime before we get to fix all issues. Mohammad, Where can I see the test output and/or the details of the ipa-autorenewcert program? Can you please clarify the issue: does it occur *now*, when the the CA certificate has a >=Y2038 expiry, or does it occur only when the system time is >=Y2038 (i.e. system time has been advanced to trigger renewal)? It occur when system date goes to 2038. Is MIT KRB5's pkinit implementation Y2038 safe? > Is MIT KRB5's pkinit implementation Y2038 safe?
We think the krb5 tree is y2038 safe (though note that the IPA KDB isn't). I don't know of a reason why our pkinit wouldn't be - we're mostly relying on openssl and opensc-pkcs11.
This should be addressed with FreeIPA 4.9.0 by upstream commit 18721cc83035359a2f7d49cfe09e7f4b1376b090 Verified using ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 in RHEL8.4 nightly build.
local: 100605052034
soonest: 2034-10-13 01:05:12
latest: 2041-02-02 15:05:42
resubmit: 0
certs: {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585541'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585515'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585524'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585534'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585514'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2168535930'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2168535917'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2168535910'}}
current: 2036-09-18 14:05:00
local: 091814052036
soonest: 2036-09-25 10:05:10
latest: 2041-02-02 15:05:42
resubmit: 0
certs: {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221112'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221174'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221144'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221134'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221114'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2230171589'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2230171524'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2230171507'}}
current: 2038-09-01 23:05:00
local: 090123052038
soonest: 2038-09-08 19:05:14
latest: 2041-02-02 15:05:42
resubmit: 0
certs: {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}}
current: 2040-08-15 08:05:00
local: 081508052040
soonest: 2040-08-22 04:05:12
latest: 2041-02-02 15:05:42
resubmit: 0
certs: {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501510'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501534'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501564'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501604'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2874013524'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501565'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2306451916'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2306451913'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2306451906'}}
current: 2041-01-31 20:05:00
local: 013120052041
soonest: 2041-02-02 15:05:42
latest: 2041-02-02 15:05:42
resubmit: 0
Full test log is an attachment of this BZ. The log shows expected failure, as the test code was not adjusted in the time of verification.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1846 |