1166931 – RHEL7.1 ipa automatic CA cert renewal stuck in submitting state

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1166931 - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state

Summary: RHEL7.1 ipa automatic CA cert renewal stuck in submitting state

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Cholasta
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1168850
TreeView+	depends on / blocked

Reported:	2014-11-22 02:55 UTC by Scott Poore
Modified:	2015-03-05 10:15 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-4.1.0-11.el7
Doc Type:	Bug Fix
Doc Text:	The following known issue description has been removed from the RHEL 7.1 Beta Release Notes: Due to a bug in the dogtag-ipa-ca-renew-agent certmonger tool renewal mechanism, automatic renewal of the IPA CA certificate can result in an endless request loop. There is no workaround available at the moment.
Clone Of:
Environment:
Last Closed:	2015-03-05 10:15:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
all of /var/log from vm with issue (6.08 MB, application/x-gzip) 2014-11-22 03:00 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Scott Poore 2014-11-22 02:55:48 UTC

Description of problem:

Automatic CA Cert renewal for self signed IPA is hanging in a submitting state.  

[root@vm4 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20141122001822':
	status: SUBMITTING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='358974620032'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.TEST
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-11-22 00:17:49 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

I walked the time forward to within 6 days of CA expiration and it goes through to this point.  But, certmonger is trying repeatedly to submit and is never getting passed this state.




Version-Release number of selected component (if applicable):

ipa-server-4.1.0-7.el7.x86_64
certmonger-0.75.14-2.el7.x86_64


How reproducible:


Steps to Reproduce:
1.  Install IPA Master
2.  getcert list | grep expires
3.  Change date to closest to let certs expire as expected
4.  getcert list
5.  Check that certs submit and renew
6.  getcert resubmit -i <id>  for any certs that don't submit
7.  repeat until all certs in MONITORING state
8.  change date forward again and repeat until you reach CA cert expiration


Actual results:
stuck in submitting state shown above.  I don't see it go to monitoring state.

Expected results:
cert should change from submitting to monitoring.

Additional info:

[root@vm4 ~]# tail -10 /var/log/messages
Nov 16 01:42:09 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:09 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
Nov 16 01:42:10 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:10 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
Nov 16 01:42:12 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:13 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
Nov 16 01:42:14 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:14 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
Nov 16 01:42:15 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Nov 16 01:42:15 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5

Comment 2 Scott Poore 2014-11-22 03:00:09 UTC

Created attachment 960031 [details]
all of /var/log from vm with issue

Comment 3 Scott Poore 2014-11-22 03:07:27 UTC

Here's the request info:

[root@vm4 ~]# cat /var/lib/certmonger/requests/20141122001822
id=20141122001822
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_storage_type=NSSDB
key_storage_location=/etc/pki/pki-tomcat/alias
key_token=NSS Certificate DB
key_nickname=caSigningCert cert-pki-ca
key_pin=358974620032
key_pubkey=3082010A0282010100E2B268DDBBB3CBC28A6EED45C317144B3356355EE6E77F4311758DC438BFAB4DBCC78D3B2292D1B8F26A935EB34A638927D01AFF54583431683CD9D8CE9AC79486A49CD4FD4869561ED422080BDEBC2C5A7FDF5AF76B6E4FF4CB881B52DDB482F61BD09E9F155BA24AB23E2CDBB51387E11758358EF41A61737D1AF2E785CAF70109FD89A147DC0CE2CEC13F18E2345930D5B15C78924621749AD9F2C8D38393A325FA4A9C61FE5DCAE1AEFF7F282ADBD4017FE3329FE4A71B4EA7D01F92FA91AB21ECA56B73A5DA400F578B49E4AC4369D6998F762058B926B2D8C5E42F9C5CE1AAD021E25E76C62864F8D2FF5EC130CA65ECC931D923DD1A953F8B5B13516F0203010001
key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100E2B268DDBBB3CBC28A6EED45C317144B3356355EE6E77F4311758DC438BFAB4DBCC78D3B2292D1B8F26A935EB34A638927D01AFF54583431683CD9D8CE9AC79486A49CD4FD4869561ED422080BDEBC2C5A7FDF5AF76B6E4FF4CB881B52DDB482F61BD09E9F155BA24AB23E2CDBB51387E11758358EF41A61737D1AF2E785CAF70109FD89A147DC0CE2CEC13F18E2345930D5B15C78924621749AD9F2C8D38393A325FA4A9C61FE5DCAE1AEFF7F282ADBD4017FE3329FE4A71B4EA7D01F92FA91AB21ECA56B73A5DA400F578B49E4AC4369D6998F762058B926B2D8C5E42F9C5CE1AAD021E25E76C62864F8D2FF5EC130CA65ECC931D923DD1A953F8B5B13516F0203010001
cert_storage_type=NSSDB
cert_storage_location=/etc/pki/pki-tomcat/alias
cert_token=NSS Certificate DB
cert_nickname=caSigningCert cert-pki-ca
cert_issuer_der=303731153013060355040A0C0C4558414D504C452E54455354311E301C06035504030C15436572746966696361746520417574686F72697479
cert_issuer=CN=Certificate Authority,O=EXAMPLE.TEST
cert_serial=01
cert_subject_der=303731153013060355040A0C0C4558414D504C452E54455354311E301C06035504030C15436572746966696361746520417574686F72697479
cert_subject=CN=Certificate Authority,O=EXAMPLE.TEST
cert_spki=30820122300D06092A864886F70D01010105000382010F003082010A0282010100E2B268DDBBB3CBC28A6EED45C317144B3356355EE6E77F4311758DC438BFAB4DBCC78D3B2292D1B8F26A935EB34A638927D01AFF54583431683CD9D8CE9AC79486A49CD4FD4869561ED422080BDEBC2C5A7FDF5AF76B6E4FF4CB881B52DDB482F61BD09E9F155BA24AB23E2CDBB51387E11758358EF41A61737D1AF2E785CAF70109FD89A147DC0CE2CEC13F18E2345930D5B15C78924621749AD9F2C8D38393A325FA4A9C61FE5DCAE1AEFF7F282ADBD4017FE3329FE4A71B4EA7D01F92FA91AB21ECA56B73A5DA400F578B49E4AC4369D6998F762058B926B2D8C5E42F9C5CE1AAD021E25E76C62864F8D2FF5EC130CA65ECC931D923DD1A953F8B5B13516F0203010001
cert_not_before=20141122001749
cert_not_after=20341122001749
cert_ku=1100011
cert_is_ca=1
cert_ca_path_length=-2
cert_ocsp=http://vm4.example.test:80/ca/ocsp
cert_no_ocsp_check=0
last_need_notify_check=20341116061856
last_need_enroll_check=20341116061856
template_subject_der=303731153013060355040A0C0C4558414D504C452E54455354311E301C06035504030C15436572746966696361746520417574686F72697479
template_subject=CN=Certificate Authority,O=EXAMPLE.TEST
template_ku=1100011
template_is_ca=0
template_ca_path_length=0
template_profile=ipaCACertRenewal
template_no_ocsp_check=0
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDETCCAfkCAQAwNzEVMBMGA1UECgwMRVhBTVBMRS5URVNUMR4wHAYDVQQDDBVD
 ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
 AoIBAQDismjdu7PLwopu7UXDFxRLM1Y1Xubnf0MRdY3EOL+rTbzHjTsiktG48mqT
 XrNKY4kn0Br/VFg0MWg82djOmseUhqSc1P1IaVYe1CIIC968LFp/31r3a25P9MuI
 G1LdtIL2G9CenxVbokqyPizbtROH4RdYNY70GmFzfRry54XK9wEJ/YmhR9wM4s7B
 PxjiNFkw1bFceJJGIXSa2fLI04OToyX6Spxh/l3K4a7/fygq29QBf+Myn+SnG06n
 0B+S+pGrIeyla3Ol2kAPV4tJ5KxDadaZj3YgWLkmstjF5C+cXOGq0CHiXnbGKGT4
 0v9ewTDKZezJMdkj3RqVP4tbE1FvAgMBAAGggZQwQQYJKoZIhvcNAQkUMTQeMgBj
 AGEAUwBpAGcAbgBpAG4AZwBDAGUAcgB0ACAAYwBlAHIAdAAtAHAAawBpAC0AYwBh
 ME8GCSqGSIb3DQEJDjFCMEAwDgYDVR0PAQEABAQDAgHGMAwGA1UdEwEB/wQCMAAw
 IAYDVR0OAQEABBYEFCXR+icIicOKX3IIwEON7uRPILrFMA0GCSqGSIb3DQEBCwUA
 A4IBAQA0m9iTmk8XfT9Z1uwR+o2diDZugJd/vRL2GujedVfBb7GV6cbfSpnwFGbi
 KGdNsdtHuKm7447ye2QFcQZ8nw0PBBsAICEfdXERfCFen9LrQukx7c1f4WMUs3Gr
 m6QDWrQqbvHmFxefBcPu4A6Yt1e/2VpKfXtgcGfLEdLrJU/rJIrJx+0+H5sYTC+e
 0sOfqCr53ioxNw49jaxvkg5Q80IppH72K+qAdfBZrsX+XdkU0AxuGa5A0ngmwwK4
 38py9vjdOI1w8aBvuE/2Z5W35yu4AoQ3k6AkVUv2cmNlzyZUoz4fL5aI4LQ79yov
 11xoxpHkL7Ufwm08pD9vJhUZpeng
 -----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDismjdu7PLwopu7UXDFxRLM1Y1Xubnf0MRdY3EOL+rTbzHjTsiktG48mqTXrNKY4kn0Br/VFg0MWg82djOmseUhqSc1P1IaVYe1CIIC968LFp/31r3a25P9MuIG1LdtIL2G9CenxVbokqyPizbtROH4RdYNY70GmFzfRry54XK9wEJ/YmhR9wM4s7BPxjiNFkw1bFceJJGIXSa2fLI04OToyX6Spxh/l3K4a7/fygq29QBf+Myn+SnG06n0B+S+pGrIeyla3Ol2kAPV4tJ5KxDadaZj3YgWLkmstjF5C+cXOGq0CHiXnbGKGT40v9ewTDKZezJMdkj3RqVP4tbE1FvAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEA1X0Pyj+C598GbOhf8+nOx4NNkmYz+IQ35fOV+17BK9yyQYWnErv1DkkaNIOq9hNcxTZaZw4usrBrZcNac537YiSj7MqD6Q5oFxBTSSRb9GM6vCwtR58+s32JT3PhxqQuSmi7mAC2qt7eHAeg+521/+aDdXBy/wDExVfTV26Txrfrzx5UkgNWrA0ECWyaX8Hr8rc7+ZfMpUUJIRFN+BRGIWE9JEEarYNfxFrWUsc6Y+i7iH3NMQ+a5pcSnywdgWFdXycoqhY7hlmmhKXtFWrPEGXVhpXa+efnT9pXldLG9nVatRbuUATCmMlcqIBYgfdx1dTRVO/Kr5vWg9VOsHfXSQ==
state=SUBMITTING
autorenew=1
monitor=1
ca_name=dogtag-ipa-ca-renew-agent
submitted=20341116081303
ca_cookie={"profile": "caCACert", "cookie": "request:{\"profile\": \"caCACert\", \"cookie\": \"request:{\\\"profile\\\": \\\"caCACert\\\", \\\"cookie\\\": \\\"state=approve&requestId=4268\\\"}\"}"}
cert=-----BEGIN CERTIFICATE-----
 MIIDjjCCAnagAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFN
 UExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNDEx
 MjIwMDE3NDlaFw0zNDExMjIwMDE3NDlaMDcxFTATBgNVBAoMDEVYQU1QTEUuVEVT
 VDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B
 AQEFAAOCAQ8AMIIBCgKCAQEA4rJo3buzy8KKbu1FwxcUSzNWNV7m539DEXWNxDi/
 q028x407IpLRuPJqk16zSmOJJ9Aa/1RYNDFoPNnYzprHlIaknNT9SGlWHtQiCAve
 vCxaf99a92tuT/TLiBtS3bSC9hvQnp8VW6JKsj4s27UTh+EXWDWO9Bphc30a8ueF
 yvcBCf2JoUfcDOLOwT8Y4jRZMNWxXHiSRiF0mtnyyNODk6Ml+kqcYf5dyuGu/38o
 KtvUAX/jMp/kpxtOp9AfkvqRqyHspWtzpdpAD1eLSeSsQ2nWmY92IFi5JrLYxeQv
 nFzhqtAh4l52xihk+NL/XsEwymXsyTHZI90alT+LWxNRbwIDAQABo4GkMIGhMB8G
 A1UdIwQYMBaAFCXR+icIicOKX3IIwEON7uRPILrFMA8GA1UdEwEB/wQFMAMBAf8w
 DgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQl0fonCInDil9yCMBDje7kTyC6xTA+
 BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly92bTQuZXhhbXBsZS50
 ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKTuz4N3D9eeQETNryQ2
 CyP/WcxZqFfFe1nLLGmLdl+aGph6b0VYy7c7QT8NqdIi163iaodx4ayF14EKGun7
 X4S76bIXKlp3qLEGJr0rduuohF/sOIdBFgvMkmolieyofLsIREabEZxXQGgNIHWv
 WwUZ+V+C1MFfDl3gc6jogy5mpUNbjg3ro8uOgwB2gYmojHuKAnsovZu64F5YlKsi
 MGYldwfMe7k/tE4SfZgLv98m4ogdT9ykm4MBzcfo4wmOQFrnInmquqJ6pyZ0+rzU
 oSGsasYJHza31GUv73a6MRJIRhJg4IHEFlGw1rUwKJ731xAoTTH82rRZK79bUdNr
 hOk=
 -----END CERTIFICATE-----
 
pre_certsave_command=/usr/lib64/ipa/certmonger/stop_pkicad
pre_certsave_uid=0
post_certsave_command=/usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
post_certsave_uid=0

Comment 4 Scott Poore 2014-11-22 03:19:28 UTC

FYI, if I run ipa-cacert-manage renew, it does renew and set expiration on new cert as expected.

Comment 5 Jan Cholasta 2014-11-25 08:07:28 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4765

Comment 9 Petr Vobornik 2014-12-09 12:08:51 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/423c3e8f34d6ae6655c3b82c4e5a18caf1e63a49
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/9bfb16c22043d714b8227567600f94345c40cad6

Comment 11 Scott Poore 2014-12-11 20:56:44 UTC

Verified.

Version ::
ipa-server-4.1.0-12.el7.x86_64

Results ::

This one took some work to walk the time in to almost the point where the CA was fully expired.  I had difficulty verifying this one because of bug #1173207 where certs wouldn't properly autorenew simultaneously.  

I was able to get this though.  During renewal cycle:

[root@vm2 ca]# getcert list -i 20141211192147
Number of certificates and requests being tracked: 8.
Request ID '20141211192147':
	status: SUBMITTING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='563139244575'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.TEST
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

And it renewed without forcing with resubmit.

[root@vm2 ca]# getcert list -i 20141211192147
Number of certificates and requests being tracked: 8.
Request ID '20141211192147':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='563139244575'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.TEST
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2054-12-09 22:30:05 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes


.... and the results to get there:


[root@vm2 ca]# date 120916302034
Sat Dec  9 16:30:00 CST 2034

[root@vm2 ca]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error"
Sat Dec  9 22:30:01 UTC 2034
Request ID '20141211192144':
	status: NOTIFYING_VALIDITY
	ca-error: Internal error: no response to "http://vm2.example.test:8080/ca/ee/ca/displayCertFromRequest?requestId=128&importCert=true&xml=true".
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192145':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192146':
	status: NOTIFYING_VALIDITY
	ca-error: Internal error: no response to "http://vm2.example.test:8080/ca/ee/ca/displayCertFromRequest?requestId=130&importCert=true&xml=true".
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192147':
	status: NOTIFYING_VALIDITY
	ca-error: Internal error: no response to "http://vm2.example.test:8080/ca/ee/ca/displayCertFromRequest?requestId=132&importCert=true&xml=true".
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192148':
	status: NOTIFYING_VALIDITY
	ca-error: Internal error: no response to "http://vm2.example.test:8080/ca/ee/ca/displayCertFromRequest?requestId=129&importCert=true&xml=true".
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192149':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192150':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192212':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC

[root@vm2 ca]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error"
Sat Dec  9 22:30:03 UTC 2034
Request ID '20141211192144':
	status: SUBMITTING
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192145':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192146':
	status: SUBMITTING
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192147':
	status: SUBMITTING
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192148':
	status: SUBMITTING
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192149':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192150':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192212':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC

[root@vm2 ca]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error"
Sat Dec  9 22:30:45 UTC 2034
Request ID '20141211192144':
	status: MONITORING
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192145':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192146':
	status: NEED_TO_SAVE_CERT
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192147':
	status: NEED_TO_SAVE_CERT
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192148':
	status: NEED_TO_SAVE_CERT
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192149':
	status: NEED_TO_SAVE_CERT
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192150':
	status: SUBMITTING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192212':
	status: SUBMITTING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC

[root@vm2 ca]# date -u; getcert list | egrep "status|expires|Request|subject|ca-error"
Sat Dec  9 22:31:20 UTC 2034
Request ID '20141211192144':
	status: MONITORING
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192145':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192146':
	status: NEED_TO_SAVE_CERT
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192147':
	status: MONITORING
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2054-12-09 22:30:05 UTC
Request ID '20141211192148':
	status: NEED_TO_SAVE_CERT
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192149':
	status: NEED_TO_SAVE_CERT
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192150':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC
Request ID '20141211192212':
	status: MONITORING
	subject: CN=vm2.example.test,O=EXAMPLE.TEST
	expires: 2034-12-11 19:21:06 UTC

Comment 13 errata-xmlrpc 2015-03-05 10:15:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.