Bug 728950

Summary: IPA should start even if certs are expired
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.1CC: benl, dpal, grajaiya, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.1-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: If the 389-ds certificate has expired the IPA services will not start. Consequence: Without 389-ds it is not possible to renew a certificate. Fix: 389-ds added new options to control how it reacts to an expired certificate. The default is to warn and start. Result: This provides a degraded operations mode where the certificate can be renewed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:29:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 728592, 733440    
Bug Blocks:    

Description Jenny Severance 2011-08-08 13:13:05 UTC 
Description of problem:

From Simo:

We had a few reports where users had a hardware failure (or suspended testing IPA, or certmonger failed and was not restarted) and when they were able to put an IPA server back online the certs were expired.

In this case we currently fail to start completely as DS refuses to start with expired tickets. This means that also the whole DNS and authentication infrastructure fails to operate,

This is not acceptable. Although running with expired certs is really bad. Not being able to start basic network and auth infrastructure is much worse.

It is ok not to allow SSL connection to LDAP at all as long as DS comes up at least for port 389 and works with LDAP+GSSAPI protection (which is used by clients like SSSD, the DNS server and replication). 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dmitri Pal 2011-08-08 21:42:39 UTC 
https://fedorahosted.org/freeipa/ticket/1576

See the ticket for links to other related BZ.
Comment 2 Martin Kosek 2011-09-01 06:41:26 UTC 
Fixed upstream:

master:f59e8145fa0ee131aafa1ce58e4ac729240e3418
ipa-2-1: 01dcfe4b3e303f59c04deb0f5f1e4c85cee69df3

Tickets we depend on were put to MODIFIED too.
Comment 4 Rob Crittenden 2011-11-01 01:24:38 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: If the 389-ds certificate has expired the IPA services will not start.
Consequence: Without 389-ds it is not possible to renew a certificate.
Fix: 389-ds added new options to control how it reacts to an expired certificate. The default is to warn and start.
Result: This provides a degraded operations mode where the certificate can be renewed.
Comment 5 Gowrishankar Rajaiyan 2011-11-07 05:14:33 UTC 
1. The 389-ds issue has been marked as "VERIFIED" - https://bugzilla.redhat.com/show_bug.cgi?id=728592.

"nsslapd-validate-cert: warn"


2. The certificate validity period is now set to 2 years. 

[root@decepticons ~]# date
Mon Nov  7 10:33:47 IST 2011
[root@decepticons ~]# 


[root@decepticons ~]# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20111107044914':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM//pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
	subject: CN=decepticons.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
	expires: 2013-11-07 04:49:13 UTC      <<<<<<<<<<<<

3. ipa-server now depends on 389-ds-base 1.2.9.13-1.el6

Dependencies Resolved

=====================================================================================================================================================================
 Package                                         Arch                       Version                                          Repository                         Size
=====================================================================================================================================================================
Installing:
 ipa-server                                      x86_64                     2.1.3-8.el6                                      beaker-Server                     977 k
Installing for dependencies:
 389-ds-base                                     x86_64                     1.2.9.13-1.el6                                   beaker-Server                     1.4 M
 389-ds-base-libs                                x86_64                     1.2.9.13-1.el6                                   beaker-Server                     361 k


Hence, marking this as VERIFIED.


# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Comment 6 errata-xmlrpc 2011-12-06 18:29:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html