Bug 728950
Summary: | IPA should start even if certs are expired | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jenny Severance <jgalipea> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.1 | CC: | benl, dpal, grajaiya, mkosek |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.1-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: If the 389-ds certificate has expired the IPA services will not start.
Consequence: Without 389-ds it is not possible to renew a certificate.
Fix: 389-ds added new options to control how it reacts to an expired certificate. The default is to warn and start.
Result: This provides a degraded operations mode where the certificate can be renewed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 18:29:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 728592, 733440 | ||
Bug Blocks: |
Description
Jenny Severance
2011-08-08 13:13:05 UTC
https://fedorahosted.org/freeipa/ticket/1576 See the ticket for links to other related BZ. Fixed upstream: master:f59e8145fa0ee131aafa1ce58e4ac729240e3418 ipa-2-1: 01dcfe4b3e303f59c04deb0f5f1e4c85cee69df3 Tickets we depend on were put to MODIFIED too. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: If the 389-ds certificate has expired the IPA services will not start. Consequence: Without 389-ds it is not possible to renew a certificate. Fix: 389-ds added new options to control how it reacts to an expired certificate. The default is to warn and start. Result: This provides a degraded operations mode where the certificate can be renewed. 1. The 389-ds issue has been marked as "VERIFIED" - https://bugzilla.redhat.com/show_bug.cgi?id=728592. "nsslapd-validate-cert: warn" 2. The certificate validity period is now set to 2 years. [root@decepticons ~]# date Mon Nov 7 10:33:47 IST 2011 [root@decepticons ~]# [root@decepticons ~]# ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20111107044914': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM subject: CN=decepticons.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM expires: 2013-11-07 04:49:13 UTC <<<<<<<<<<<< 3. ipa-server now depends on 389-ds-base 1.2.9.13-1.el6 Dependencies Resolved ===================================================================================================================================================================== Package Arch Version Repository Size ===================================================================================================================================================================== Installing: ipa-server x86_64 2.1.3-8.el6 beaker-Server 977 k Installing for dependencies: 389-ds-base x86_64 1.2.9.13-1.el6 beaker-Server 1.4 M 389-ds-base-libs x86_64 1.2.9.13-1.el6 beaker-Server 361 k Hence, marking this as VERIFIED. # rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Wed 02 Nov 2011 03:21:27 AM IST Install Date: Thu 03 Nov 2011 10:13:53 AM IST Build Host: x86-012.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm Size : 3381421 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |