Bug 1780317
| Summary: | ipa-cert-fix: False Positive Status for cert renewal. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Deepak Das <ddas> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.1 | CC: | frenaud, ftweedal, myusuf, pcech, rcritten, ssidhaye, tscherf, twoerner |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | idm-client-8050020210701113027.de73ecb2 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 18:21:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Based on further check it seems that even after ipa-cert-fix give success message, it still takes another few minutes for the status of the certificate in the server in "getcert list" to be updated hence causing confusion. [root@master ~]# date Thu Aug 14 17:01:22 EDT 2025 [root@master ~]# getcert list|grep -e expire -e certificate: certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' expires: 2027-08-04 16:54:38 EDT certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2027-08-04 16:53:36 EDT certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2027-08-04 16:53:57 EDT certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2027-08-04 16:54:07 EDT certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2039-12-05 10:19:25 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2027-08-04 16:54:00 EDT certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nickname='Server-Cert',token='NSS Certificate DB' expires: 2027-08-15 16:53:41 EDT certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' expires: 2027-08-15 16:53:51 EDT certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' expires: 2027-08-15 16:53:32 EDT Indeed, Certmonger does not notice the updated certificates straight away. So, rather than ipa-cert-fix output being a false positive, it is getcert output that is a false negative. I will leave this open. We should probably at least make a note of this in the man page or something so let's consider this a doc bug :) Upstream ticket: https://pagure.io/freeipa/issue/8702 Fixed upstream
master:
5509e00 ipa-cert-fix man page: add note about certmonger renewal
ipa-4-9:
06a445a ipa-cert-fix man page: add note about certmonger renewal
version:
ipa-server-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64
ipa-server-dns-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch
[root@master cloud-user]# ipa-cert-fix -v
[..]
ipapython.ipautil: DEBUG: stdout=Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipapython.ipautil: DEBUG: stderr=ipa: INFO: The ipactl command was successful
Note: Monitor the certmonger-initiated renewal of
certificates after ipa-cert-fix and wait for its completion before
any other administrative task.
ipapython.admintool: INFO: The ipa-cert-fix command was successful
[root@master cloud-user]# man ipa-cert-fix
[..]
Important note: the certmonger daemon does not immediately notice the updated certificates and may trigger a renewal
after ipa-cert-fix completes. As a consequence, getcert list output may display that a renewal is in progress even
if ipa-cert-fix just finished. It is recommended to monitor the certmonger-initiated renewal and wait for its com‐
pletion before any other administrative task.
[..]
Note about waiting for certmonger is displayed in command output as well as man page. Hence marking the bug as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4230 |
Description of problem: [root@master ~]# getcert list|grep -e expire -e certificate: certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' expires: 2021-11-24 10:20:04 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2039-12-05 10:19:25 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nickname='Server-Cert',token='NSS Certificate DB' expires: 2021-12-05 10:20:58 EST certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' expires: 2021-12-05 10:21:24 EST certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' expires: 2021-12-05 10:21:38 EST [root@master ~]# hwclock --set --date="2025-08-14 16:45:05" [root@master ~]# hwclock --hctosys; date Thu Aug 14 16:45:10 EDT 2025 [root@master ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service zRestarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@master ~]# date Thu Aug 14 16:47:48 EDT 2025 [root@master ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@master ~]# ipa-cert-fix WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of FreeIPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED. The following certificates will be renewed: Dogtag sslserver certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 3 Expires: 2021-11-24 15:19:26 Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=TESTREALM.TEST Serial: 4 Expires: 2021-11-24 15:19:26 Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=TESTREALM.TEST Serial: 2 Expires: 2021-11-24 15:19:26 Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=TESTREALM.TEST Serial: 5 Expires: 2021-11-24 15:19:26 IPA IPA RA certificate: Subject: CN=IPA RA,O=TESTREALM.TEST Serial: 7 Expires: 2021-11-24 15:20:04 IPA Apache HTTPS certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 9 Expires: 2021-12-05 15:21:24 IPA LDAP certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 8 Expires: 2021-12-05 15:20:58 IPA KDC certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 10 Expires: 2021-12-05 15:21:38 Enter "yes" to proceed: yes Proceeding. Renewed Dogtag sslserver certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 15 Expires: 2027-08-04 20:49:57 Renewed Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=TESTREALM.TEST Serial: 16 Expires: 2027-08-04 20:49:58 Renewed Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=TESTREALM.TEST Serial: 17 Expires: 2027-08-04 20:49:59 Renewed Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=TESTREALM.TEST Serial: 18 Expires: 2027-08-04 20:49:59 Renewed IPA IPA RA certificate: Subject: CN=IPA RA,O=TESTREALM.TEST Serial: 19 Expires: 2027-08-04 20:49:59 Renewed IPA Apache HTTPS certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 20 Expires: 2027-08-15 20:50:00 Renewed IPA LDAP certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 21 Expires: 2027-08-15 20:50:00 Renewed IPA KDC certificate: Subject: CN=master.testrealm.test,O=TESTREALM.TEST Serial: 22 Expires: 2027-08-15 20:50:01 Becoming renewal master. The ipa-cert-fix command was successful [root@master ~]# getcert list|grep -e expire -e certificate: certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' expires: 2021-11-24 10:20:04 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2039-12-05 10:19:25 EST certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2021-11-24 10:19:26 EST ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nickname='Server-Cert',token='NSS Certificate DB' expires: 2021-12-05 10:20:58 EST ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' expires: 2021-12-05 10:21:24 EST ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' expires: 2021-12-05 10:21:38 EST Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: