Bug 1912845

Summary: ipa-certupdate drops profile from the caSigningCert tracking
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: frenaud, ksiddiqu, pcech, prasun.gera, rcritten, sumenon, tscherf
Target Milestone: rcKeywords: TestCaseProvided
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.2-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:48:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2021-01-05 12:42:50 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8644

### Issue
ipa-certupdate is modifying the certmonger tracking by dropping the profile from the 'caSigningCert cert-pki-ca' certmonger configuration.

#### Steps to Reproduce
1. ```ipa-server-install``` <options, I included dns>
2. ```ipa-healthcheck``` <should be zero issues>
3. ```ipa-certupdate```
4. ```ipa-healthcheck``` <fails with below>

[
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPACertTracking",
    "result": "ERROR",
    "uuid": "06fc99e8-037c-49ed-bd97-9703c82e1b04",
    "when": "20210104205952Z",
    "duration": "0.287840",
    "kw": {
      "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert",
      "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate"
    }
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPACertTracking",
    "result": "WARNING",
    "uuid": "f6af4114-bb3e-4cb4-a79d-2dc3b4856583",
    "when": "20210104205953Z",
    "duration": "0.401806",
    "kw": {
      "key": "20210104201139",
      "msg": "certmonger tracking request {key} found and is not expected on an IPA master."
    }
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPACertDNSSAN",
    "result": "ERROR",
    "uuid": "2e5b118b-9a5c-4bdf-8c1f-c5337aa3c292",
    "when": "20210104205953Z",
    "duration": "0.309905",
    "kw": {
      "key": null,
      "msg": "Found request id {key} but it is not trackedby certmonger!?"
    }
  }
]

Running ```ipa-server-upgrade``` fixes the tracking.

#### Version/Release/Distribution

Reported initially on freeipa-users and followed up on irc. Seen on HREL 8.3. (ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64) and reproduced with ipa master.
Comment 1 Rob Crittenden 2021-01-05 12:44:49 UTC 
Upstream PR https://github.com/freeipa/freeipa/pull/5393
Comment 2 Florence Blanc-Renaud 2021-01-07 13:02:29 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/53f4fd91269dac89d83d255b174e6c0344c644f1
https://pagure.io/freeipa/c/8e9fecd72ac1db3969583207e549d2bdadc20986
Comment 3 Florence Blanc-Renaud 2021-01-07 15:13:33 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/10ba43ad35acecdd1c4b7981db31a90cce1b9fab
https://pagure.io/freeipa/c/ad1764a1fff885e1c386b0a9f50517b2e0725e03

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/f2fecbd702c1c07f6bd4d2b3f64fe729fc22d4eb
https://pagure.io/freeipa/c/42bdcfbeb0b5304f2c5aa1e28aaf4a8c6b4a9c63
Comment 4 Florence Blanc-Renaud 2021-01-07 15:14:12 UTC 
TestCase provided upstream in ipatests/test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_after_certupdate
Comment 10 errata-xmlrpc 2021-05-18 15:48:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846