Bug 1178128 – IPA externally signed CA cert expiration warning missing from log

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1178128 - IPA externally signed CA cert expiration warning missing from log

Summary:	IPA externally signed CA cert expiration warning missing from log

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-01-02 08:56 EST by Scott Poore
Modified:	2015-03-05 05:19 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:	ipa-4.1.0-14.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-05 05:19:17 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 09:50:39 EST

Groups: None (edit)

Description Scott Poore 2015-01-02 08:56:02 EST

Description of problem:

When IPA server's externally signed CA cert is about to expire, I'd expect to see a message in /var/log/messages.  I walked the server's time slowly from 4 weeks out to the expiration time an never saw a message.  All I saw was getcert change:

[root@rhel7-9 log]# getcert list -i 20141216222410
Number of certificates and requests being tracked: 8.
Request ID '20141216222410':
        status: MONITORING
        ca-error: Updated certificate not available
        stuck: no
        key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='285787707402'
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Primary Fake CA,O=fakerealm1
        subject: CN=Certificate Authority,O=EXAMPLE.COM
        expires: 2019-12-16 22:21:55 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


Version-Release number of selected component (if applicable):
ipa-server-4.1.0-13.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Start IPA server install requiring externally signed CA:

ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a Secret123 -p Secret123 --external-ca -U

2.  Setup Fake external CA for signing

SERNUM=$RANDOM

SERNUM=$(( SERNUM += 1 ))
echo -e "y\n10\ny\n" | \
certutil -S -d . \
    -n RootCA \
    -s "CN=MyRootCA, O=fakerealm1" \
    -x \
    -t "CTu,CTu,CTu" \
    -g 2048 \
    -m $SERNUM\
    -v 60 \
    -z /etc/group \
    -2 \
    --keyUsage certSigning \
    --nsCertType sslCA,smimeCA,objectSigningCA \
    -f mypass1

3.  Sign IPA CSR and export fake CA cert

SERNUM=$(( SERNUM += 1 ))
echo -e "y\n10\ny\n" | \
certutil -C -d . \
    -c RootCA \
    -m $SERNUM \
    -v 60 \
    -2 \
    --keyUsage digitalSignature,nonRepudiation,certSigning \
    --nsCertType sslCA,smimeCA,objectSigningCA \
    -i /root/ipa.csr \
    -o /root/ipa.crt \
    -f mypass1 \
    -a

certutil -L -d . -n "RootCA" -a >> /root/ipacacert.asc

4.  Finish IPA install 

cd  /root

ipa-server-install --setup-dns --forwarder=192.168.122.1 \
    -r EXAMPLE.TEST -a Secret123 -p Secret123 \
    --external-cert-file=/root/ipa.crt \
    --external-cert-file=/root/ipacacert.asc -U

5.  Walk time forward with date command while making sure certs expire

date <soonest_expiration_minus_4_weeks>
getcert list | egrep "status|expires|Request|subject|ca-error"

6.  When you get within 4 weeks of CA expiring, check /var/log/messages for message

grep "IPA CA certificate is about to expire, use ipa-cacert-manage to renew it" /var/log/messages

Actual results:

no warning seen in log

Expected results:

Should see:
"IPA CA certificate is about to expire, use ipa-cacert-manage to renew it" 


Additional info:

Comment 2 Jan Cholasta 2015-01-02 09:25:07 EST

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4820

Comment 3 Jan Cholasta 2015-01-13 12:50:28 EST

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a63df8f3091992e227fe4654977bb91386ce0491
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/818136bab14d5b137943349564a8cc3b31af5afa

Comment 5 Scott Poore 2015-01-14 17:28:13 EST

Verified.

Version ::

ipa-server-4.1.0-15.el7.x86_64

Results ::

I installed with external-ca and then walked time forward until it expired.

[root@vm1 ~]# g
Request ID '20150114215735':
	status: SUBMITTING
	subject: CN=CA Audit,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215736':
	status: SUBMITTING
	subject: CN=OCSP Subsystem,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215737':
	status: SUBMITTING
	subject: CN=CA Subsystem,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215738':
	status: MONITORING
	ca-error: Updated certificate not available
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215739':
	status: SUBMITTING
	subject: CN=IPA RA,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215740':
	status: MONITORING
	subject: CN=vm1.example.test,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215741':
	status: MONITORING
	subject: CN=vm1.example.test,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Request ID '20150114215808':
	status: MONITORING
	subject: CN=vm1.example.test,O=EXAMPLE.TEST
	expires: 2020-01-14 21:56:16 UTC
Thu Dec 19 15:56:49 CST 2019

[root@vm1 ~]# grep "IPA CA certificate is about to expire, use ipa-cacert-manage to renew it" /var/log/messages
Dec 19 15:56:47 vm1 dogtag-ipa-ca-renew-agent-submit: IPA CA certificate is about to expire, use ipa-cacert-manage to renew it

Comment 7 errata-xmlrpc 2015-03-05 05:19:17 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.