Bug 1690191

Summary: [RFE] Offline Certificate Renewal System
Product: Red Hat Enterprise Linux 7 Reporter: Fraser Tweedale <ftweedal>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.4CC: aakkiang, afarley, alee, arubin, cfu, cheimes, cpelland, dmoluguw, edewata, fcami, frenaud, ftweedal, ipa-maint, jmagne, mharmsen, mrhodes, myusuf, ndehadra, nkinder, pasik, phybl, pvoborni, rcritten, tmihinto, tscherf, wburrows
Target Milestone: rcKeywords: FutureFeature
Target Release: 7.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.5-2.el7 Doc Type: Enhancement
Doc Text:
.IdM now supports renewing expired system certificates when the server is offline With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new `ipa-cert-fix` command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.
Story Points: ---
Clone Of: 1468348 Environment:
Last Closed: 2019-08-06 13:09:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1468348, 1696849    
Bug Blocks: 1472344, 1550132, 1644708, 1647919, 1669257    

Description Fraser Tweedale 2019-03-19 00:57:45 UTC
+++ This bug was initially created as a clone of Bug #1468348 +++

Current scenario:

    When system certificate expires, we need to rollback date to a valid range   
    and start the renewal process.

Proposed Solution:

    An offline tool which creates temporary certificates to bring up the server
    and using which we can proceed with online renewal process.

Related wiki:

    * http://pki.fedoraproject.org/wiki/Offline_System_Certificate_Renewal

--- Additional comment from Red Hat Bugzilla Rules Engine on 2017-07-06 19:09:55 UTC ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Matthew Harmsen on 2017-08-04 00:18:50 UTC ---

Moving to 7.5 due to decision to delay CC until RHEL 7.5 / RHCS 9.3.

--- Additional comment from Matthew Harmsen on 2017-08-31 18:15:59 UTC ---



--- Additional comment from Matthew Harmsen on 2017-09-26 17:32:44 UTC ---



--- Additional comment from Matthew Harmsen on 2017-09-26 17:48:25 UTC ---

Ade needs to discuss this ticket with Dinesh to determine its priority for RHEL 7.5.

(1) mark https://pagure.io/dogtagpki/issue/2776 with appropriate priority;
(2) if blocker, set "blocker ?" ACK on RHEL bug
(3) add BLOCKER, CRITICAL, or MAJOR to Devel Whiteboard

--- Additional comment from Matthew Harmsen on 2017-10-25 16:33:04 UTC ---

[20171025] - RHEL 7.5 / RHCS 9.3 pre-Alpha Offline Triage ==> 7.6

--- Additional comment from PnT Account Manager on 2018-02-06 22:44:15 UTC ---

Employee 'dmoluguw' has left the company.

--- Additional comment from Chris Williams on 2018-05-01 22:10:20 UTC ---

This Bugzilla has been added to the Release Priority List for RHEL 7.6. It is not a guarantee it will make 7.6. Instead, Engineering, Product Management, QE and CEE have all agreed that this BZ should be addressed in 7.6 and every effort will be made to ensure this BZ makes the release. Please reach out to Chris Williams (cww) or senior members of your SBR if you have any questions.

--- Additional comment from Matthew Harmsen on 2018-05-05 00:18:43 UTC ---

Per RHEL 7.5.z/7.6/8.0 Triage:  7.6 (RPL Candidate)

--- Additional comment from Matthew Harmsen on 2018-06-18 15:54:48 UTC ---

This bug is being moved to RHEL 7.7 due to lack of development resources.

While mkosek, nkinder, ftweedal, cheimes, and mharmsen attempted numerous venues to try to come up with a workable solution in the RHEL 7.6 time frame, all of these efforts wound up being defeated by a simple lack of resources and a consensus decision that precedence should be given to RHEL 8 over RHEL 7.6 based upon existing resources.

On a final note, mkosek proposed the following:

But maybe, as mitigation, we could come up instead with improving the
renew procedure instead of building the tool? The goal is to make
Renewal process for Support and our customers easier, as noted in
https://projects.engineering.redhat.com/browse/FREEIPA-821
, so even documentation/process improvements count (if that is what
Dinesh could do).

As a consequence of this proposal, although I am re-assigning this particular bug to RHEL 7.7, I am also changing the assignee back to dmoluguw.

--- Additional comment from Dinesh Prasanth on 2018-11-14 15:31:57 UTC ---

This tool is now available in master (10.6). However, it is little hard to backport to 10.5.

After talking to @ftweedal, he has created a JIRA ticket [1] to track the requirement to backport this tool to RHEL7.x/10.5.

[1] https://projects.engineering.redhat.com/browse/FREEIPA-2124

--- Additional comment from Fraser Tweedale on 2019-03-18 04:55:40 UTC ---

How to test: https://github.com/dogtagpki/pki/pull/183#issue-261388269

Comment 6 Dinesh Prasanth 2019-05-13 15:15:50 UTC
Hi Marc,

Please see the updated doc field. I'm adding Fraser to review since he wrote the `ipa-cert-fix` wrapper.

.IdM now supports renewing expired system certificates when the server is offline

With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new `ipa-cert-fix`, which is an IdM specific wrapper against `pki-server cert-fix`, command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.

Comment 8 Mohammad Rizwan 2019-05-15 07:24:01 UTC
Identified tier1 test passed. Based on observation in comment#7, marking the bug verified.

Comment 14 errata-xmlrpc 2019-08-06 13:09:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241

Comment 18 Red Hat Bugzilla 2023-09-18 00:15:40 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days