Bug 1790663

Summary: Renewed certs are not picked up by IPA CAs
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.1CC: anazmy, frenaud, ipa-qe, ksiddiqu, pasik, pcech, rcritten, ssidhaye, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1788907 Environment:
Last Closed: 2020-04-28 15:44:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1788907    
Bug Blocks:    

Comment 3 Sumedh Sidhaye 2020-03-05 08:55:47 UTC 
Reproducer : pre-patch systems

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 (Maipo)

[root@replica ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 (Maipo)

master

[root@cloud-qe-19 ~]# rpm -q ipa-server certmonger 
ipa-server-4.6.5-11.el7.x86_64
certmonger-0.78.4-11.el7.x86_64
[root@cloud-qe-19 ~]# 


replica

[root@cloud-qe-21 ~]# rpm -q ipa-server certmonger
ipa-server-4.6.5-11.el7.x86_64
certmonger-0.78.4-11.el7.x86_64



[root@replica ~]# getcert list -f /var/lib/ipa/ra-agent.pem
Number of certificates and requests being tracked: 9.
Request ID '20200305081550':
	status: CA_WORKING
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=TESTREALM.TEST
	subject: CN=IPA RA,O=TESTREALM.TEST
	expires: 2022-02-23 05:19:20 UTC
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes
[root@replica ~]# systemctl stop certmonger; sleep 5; systemctl start certmonger

[root@replica ~]#tail /var/log/messages

Mar  5 03:20:01 cloud-qe-21 systemd: Started Session 32 of user root.
Mar  5 03:28:47 cloud-qe-21 ntpd[3845]: 0.0.0.0 0512 02 freq_set ntpd 0.000 PPM
Mar  5 03:28:47 cloud-qe-21 ntpd[3845]: 0.0.0.0 0515 05 clock_sync
Mar  5 03:33:47 cloud-qe-21 dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
Mar  5 03:34:40 cloud-qe-21 systemd: Stopping Certificate monitoring and PKI enrollment...
Mar  5 03:34:40 cloud-qe-21 systemd: Stopped Certificate monitoring and PKI enrollment.
Mar  5 03:34:52 cloud-qe-21 systemd: Starting Certificate monitoring and PKI enrollment...
Mar  5 03:34:53 cloud-qe-21 systemd: Started Certificate monitoring and PKI enrollment.
Mar  5 03:35:14 cloud-qe-21 certmonger: 2020-03-05 03:35:14 [7978] Invalid cookie: u''

=====================================================================


Fixed version

master

[root@master ~]# rpm -q ipa-server certmonger
ipa-server-4.8.4-6.module+el8.2.0+5773+68ace8c5.x86_64
certmonger-0.79.7-6.el8.x86_64
[root@master ~]#


replica

[root@replica ~]# rpm -q ipa-server certmonger
ipa-server-4.8.4-6.module+el8.2.0+5773+68ace8c5.x86_64
certmonger-0.79.7-6.el8.x86_64
[root@replica ~]#



[root@replica ~]# getcert resubmit -f /var/lib/ipa/ra-agent.pem 
Resubmitting "20200227051204" to "dogtag-ipa-ca-renew-agent".
[root@replica ~]# getcert list -f /var/lib/ipa/ra-agent.pem
Number of certificates and requests being tracked: 9.
Request ID '20200227051204':
	status: CA_WORKING
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=TESTREALM.TEST
	subject: CN=IPA RA,O=TESTREALM.TEST
	expires: 2022-02-15 22:25:26 IST
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes
[root@replica ~]# #systemctl stop certmonger; sleep 20; systemctl start certmonger
[root@replica ~]# getcert list -f /var/lib/ipa/ra-agent.pem
Number of certificates and requests being tracked: 9.
Request ID '20200227051204':
	status: CA_WORKING
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=TESTREALM.TEST
	subject: CN=IPA RA,O=TESTREALM.TEST
	expires: 2022-02-15 22:25:26 IST
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes
[root@replica ~]# systemctl stop certmonger; sleep 20; systemctl start certmonger
[root@replica ~]# getcert list -f /var/lib/ipa/ra-agent.pem
Number of certificates and requests being tracked: 9.
Request ID '20200227051204':
	status: SUBMITTING
	stuck: no
	key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=TESTREALM.TEST
	subject: CN=IPA RA,O=TESTREALM.TEST
	expires: 2022-02-15 22:25:26 IST
	key usage: digitalSignature,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
	post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes
[root@replica ~]#




[root@replica ~]# grep -P 'certmonger|dogtag' /var/log/messages*
Feb 26 21:46:38 vm-idm-023 systemd-tmpfiles[16912]: [/usr/lib/tmpfiles.d/certmonger.conf:3] Line references path below legacy directory /var/run/, updating /var/run/certmonger \u2192 /run/certmonger; please update the tmpfiles.d/ drop-in file accordingly.
Feb 26 21:49:28 vm-idm-023 systemd-tmpfiles[21613]: [/usr/lib/tmpfiles.d/certmonger.conf:3] Line references path below legacy directory /var/run/, updating /var/run/certmonger \u2192 /run/certmonger; please update the tmpfiles.d/ drop-in file accordingly.
Feb 26 22:25:45 vm-idm-023 certmonger[24241]: Certificate in file "/var/lib/ipa/ra-agent.pem" issued by CA and saved.
Feb 26 22:27:30 vm-idm-023 /restart_dirsrv[25006]: certmonger restarted dirsrv instance 'TESTREALM-TEST'
Feb 26 22:27:35 vm-idm-023 certmonger[25074]: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-TESTREALM-TEST" issued by CA and saved.
Feb 26 22:28:10 vm-idm-023 /restart_httpd[25603]: certmonger restarted httpd
Feb 26 22:28:10 vm-idm-023 certmonger[25606]: Certificate in file "/var/lib/ipa/certs/httpd.crt" issued by CA and saved.
Feb 26 22:28:34 vm-idm-023 certmonger[26028]: Certificate in file "/var/kerberos/krb5kdc/kdc.crt" issued by CA and saved.
[root@replica ~]#
Comment 5 errata-xmlrpc 2020-04-28 15:44:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1640