Bug 1780317

Summary:	ipa-cert-fix: False Positive Status for cert renewal.
Product:	Red Hat Enterprise Linux 8	Reporter:	Deepak Das <ddas>
Component:	ipa	Assignee:	Florence Blanc-Renaud <frenaud>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	high	Docs Contact:
Priority:	medium
Version:	8.1	CC:	frenaud, ftweedal, myusuf, pcech, rcritten, ssidhaye, tscherf, twoerner
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.0	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	idm-client-8050020210701113027.de73ecb2	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-11-09 18:21:19 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Deepak Das 2019-12-05 16:52:26 UTC

Description of problem:

[root@master ~]# getcert list|grep -e expire -e certificate:
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	expires: 2021-11-24 10:20:04 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2039-12-05 10:19:25 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2021-12-05 10:20:58 EST
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	expires: 2021-12-05 10:21:24 EST
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	expires: 2021-12-05 10:21:38 EST


[root@master ~]# hwclock --set --date="2025-08-14 16:45:05"
[root@master ~]# hwclock --hctosys; date
Thu Aug 14 16:45:10 EDT 2025


[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
zRestarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful


[root@master ~]# date
Thu Aug 14 16:47:48 EDT 2025


[root@master ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@master ~]# ipa-cert-fix 

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of FreeIPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed: 

Dogtag sslserver certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  3
  Expires: 2021-11-24 15:19:26

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=TESTREALM.TEST
  Serial:  4
  Expires: 2021-11-24 15:19:26

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=TESTREALM.TEST
  Serial:  2
  Expires: 2021-11-24 15:19:26

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=TESTREALM.TEST
  Serial:  5
  Expires: 2021-11-24 15:19:26

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=TESTREALM.TEST
  Serial:  7
  Expires: 2021-11-24 15:20:04

IPA Apache HTTPS certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  9
  Expires: 2021-12-05 15:21:24

IPA LDAP certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  8
  Expires: 2021-12-05 15:20:58

IPA KDC certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  10
  Expires: 2021-12-05 15:21:38

Enter "yes" to proceed: yes
Proceeding.
Renewed Dogtag sslserver certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  15
  Expires: 2027-08-04 20:49:57

Renewed Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=TESTREALM.TEST
  Serial:  16
  Expires: 2027-08-04 20:49:58

Renewed Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=TESTREALM.TEST
  Serial:  17
  Expires: 2027-08-04 20:49:59

Renewed Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=TESTREALM.TEST
  Serial:  18
  Expires: 2027-08-04 20:49:59

Renewed IPA IPA RA certificate:
  Subject: CN=IPA RA,O=TESTREALM.TEST
  Serial:  19
  Expires: 2027-08-04 20:49:59

Renewed IPA Apache HTTPS certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  20
  Expires: 2027-08-15 20:50:00

Renewed IPA LDAP certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  21
  Expires: 2027-08-15 20:50:00

Renewed IPA KDC certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  22
  Expires: 2027-08-15 20:50:01

Becoming renewal master.
The ipa-cert-fix command was successful


[root@master ~]# getcert list|grep -e expire -e certificate:
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	expires: 2021-11-24 10:20:04 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2039-12-05 10:19:25 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2021-12-05 10:20:58 EST
	ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	expires: 2021-12-05 10:21:24 EST
	ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	expires: 2021-12-05 10:21:38 EST



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Deepak Das 2019-12-05 17:09:04 UTC

Based on further check it seems that even after ipa-cert-fix give success message,  it still takes another few minutes for the status of the certificate in the server in "getcert list" to be updated hence causing confusion. 

[root@master ~]# date
Thu Aug 14 17:01:22 EDT 2025

[root@master ~]# getcert list|grep -e expire -e certificate:
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	expires: 2027-08-04 16:54:38 EDT
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2027-08-04 16:53:36 EDT
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2027-08-04 16:53:57 EDT
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2027-08-04 16:54:07 EDT
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2039-12-05 10:19:25 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	expires: 2027-08-04 16:54:00 EDT
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2027-08-15 16:53:41 EDT
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	expires: 2027-08-15 16:53:51 EDT
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	expires: 2027-08-15 16:53:32 EDT

Comment 2 Fraser Tweedale 2020-02-13 10:26:10 UTC

Indeed, Certmonger does not notice the updated certificates straight away.
So, rather than ipa-cert-fix output being a false positive, it is getcert
output that is a false negative.

I will leave this open.  We should probably at least make a note of this
in the man page or something so let's consider this a doc bug :)

Comment 4 Rob Crittenden 2021-02-09 19:05:28 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8702

Comment 7 Florence Blanc-Renaud 2021-06-10 19:01:18 UTC

Fixed upstream
master:

    5509e00 ipa-cert-fix man page: add note about certmonger renewal

Comment 8 Florence Blanc-Renaud 2021-06-12 10:35:29 UTC

ipa-4-9:

    06a445a ipa-cert-fix man page: add note about certmonger renewal

Comment 14 Mohammad Rizwan 2021-07-12 13:07:02 UTC

version:
ipa-server-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64
ipa-server-dns-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch

[root@master cloud-user]# ipa-cert-fix -v
[..]
ipapython.ipautil: DEBUG: stdout=Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service

ipapython.ipautil: DEBUG: stderr=ipa: INFO: The ipactl command was successful


Note: Monitor the certmonger-initiated renewal of
certificates after ipa-cert-fix and wait for its completion before
any other administrative task.

ipapython.admintool: INFO: The ipa-cert-fix command was successful


[root@master cloud-user]# man ipa-cert-fix
[..]
Important note: the certmonger daemon does not immediately notice the updated certificates and may trigger a renewal
       after ipa-cert-fix completes. As a consequence, getcert list output may display that a renewal is in  progress  even
       if  ipa-cert-fix  just finished. It is recommended to monitor the certmonger-initiated renewal and wait for its com‐
       pletion before any other administrative task.
[..]


Note about waiting for certmonger is displayed in command output as well as man page. Hence marking the bug as verified.

Comment 16 errata-xmlrpc 2021-11-09 18:21:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230