RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1277691 - ipa-cacert-manage renew failed with validity out of range
Summary: ipa-cacert-manage renew failed with validity out of range
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 7.3
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1308854 1310200
TreeView+ depends on / blocked
 
Reported: 2015-11-03 20:28 UTC by Xiyang Dong
Modified: 2023-09-14 03:12 UTC (History)
15 users (show)

Fixed In Version: pki-core-10.3.1-1.el7
Doc Type: Bug Fix
Doc Text:
The certificate validity was calculated incorrectly in case of a daylight saving time change in the validity period. Consequently, the "ipa-cacert-manage renew" command could fail with a validity error. With this update, the CA Validity Default has been modified to use Calendar API, which calculates the certificate validity range consistently with the Validity Constraint and Validity Default. As a result, a CA certificate is successfully renewed in this scenario.
Clone Of:
: 1308854 1310200 (view as bug list)
Environment:
Last Closed: 2016-11-04 05:20:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
pki-core-Fixed-mismatching-certificate-validity-calculation.patch (7.53 KB, patch)
2016-01-26 18:06 UTC, Endi Sukma Dewata
mharmsen: review+
Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2241 0 None None None 2020-10-04 21:01:59 UTC
Red Hat Product Errata RHBA-2016:2396 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2016-11-03 13:55:03 UTC

Description Xiyang Dong 2015-11-03 20:28:31 UTC
Description of problem:
ipa-cacert-manage renew failed with validity out of range

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15
pki-ca-10.2.5-6

How reproducible:
Always

Steps to Reproduce:
1.ipa server installed
2.manually renew CA cert 

Actual results:
[root@amd-pike-05 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151103191745':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:22 UTC
Request ID '20151103191746':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:20 UTC
Request ID '20151103191747':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191748':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2035-11-03 19:17:17 UTC
Request ID '20151103191749':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:42 UTC
Request ID '20151103191750':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191801':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-03 18:18:01 UTC
Request ID '20151103191823':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-03 18:18:23 UTC
[root@amd-pike-05 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20151103191748', please check the request manually

[root@amd-pike-05 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151103191745':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:22 UTC
Request ID '20151103191746':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:20 UTC
Request ID '20151103191747':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191748':
	status: MONITORING
	ca-error: Server at "http://amd-pike-05.testrelm.test:8080/ca/ee/ca/profileSubmit" replied: Request Rejected - {0}
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2035-11-03 19:17:17 UTC
Request ID '20151103191749':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:42 UTC
Request ID '20151103191750':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191801':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-03 18:18:01 UTC
Request ID '20151103191823':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-03 18:18:23 UTC

[root@amd-pike-05 ~]# less /var/log/pki/pki-tomcat/ca/debug
.
.
.

[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: validate start
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: not before: Tue Nov 03 14:47:33 EST 2015
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: not after: Sat Nov 03 15:47:33 EDT 2035
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: range: 7305
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: range unit: day
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: limit: Sat Nov 03 14:47:33 EDT 2035
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: CertRequestSubmitter: submit Validity Out of Range: Sat Nov 03 15:47:33 EDT 2035 is after Sat Nov 03 14:47:33 EDT 2035
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$NonRoleUser$][Outcome=Failure][ReqID=11][InfoName=rejectReason][InfoValue=Request Rejected - Validity Out of Range: Sat Nov 03 15:47:33 EDT 2035 is after Sat Nov 03 14:47:33 EDT 2035] certificate request processed

Expected results:

CA cert gets renewed sucessfully


Additional info:

Comment 4 Martin Kosek 2015-11-06 17:22:24 UTC
Needs to be first investigated within "ipa" component.

Comment 5 Endi Sukma Dewata 2015-11-06 17:37:44 UTC
This might be caused by mismatching time zones (i.e. EST vs. EDT) in the certificate validity range. Please try the workaround mentioned in this ticket:
https://fedorahosted.org/pki/ticket/1682

If it fixes the problem, please assign the ticket back to pki-core. Thanks.

Comment 6 Jan Cholasta 2015-11-09 07:24:55 UTC
I was not able to reproduce this with:

certmonger-0.78.4-1.el7.x86_64
ipa-server-4.2.0-15.el7.x86_64
pki-ca-10.2.5-6.el7.noarch

My guess is that this was caused by DST.

For the record, IPA explicitly requests the validity not to be checked on the CA certificate by setting bypassCAnotafter=true in the certificate request approval options.

Comment 7 Martin Kosek 2015-11-09 09:23:23 UTC
Waiting on reporter's reply, when Comment 5 is confirmed.

Comment 8 Xiyang Dong 2015-11-09 16:12:17 UTC
I don't have access to the machine I tested on anymore since it's returned to beaker.
When I get a new machine, timezone is EST and ipa-cacert-manage renew works.
IS there any way I can change to EDT and try the workaround?

Comment 9 Jan Cholasta 2015-11-10 11:41:00 UTC
I can see in /var/log/pki/pki-tomcat/ca/debug on my system that the bypassCAvalidity=true option is properly passed to the CA, which means it should not check the validity, so this is not a IPA bug.

Changing the component back to pki-core.

Comment 10 Christina Fu 2016-01-06 21:49:02 UTC
where was the bypassCAnotafter=true set?
Is this the same issue reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1150031 ?
If so, please look in the bug for workaround on how to set 
bypassCAnotafter=true properly.

The time zone issue is separate though.

Comment 11 Matthew Harmsen 2016-01-07 01:27:54 UTC
Per discussions in the RHEL 7.3 Triage meeting of 01/06/2016: priority medium

Comment 12 Matthew Harmsen 2016-01-07 01:32:13 UTC
Upstream ticket:
https://fedorahosted.org/pki/ticket/1721

Comment 13 Endi Sukma Dewata 2016-01-26 18:01:20 UTC
Setting bypassCAnotafter to true will allow the new cert validity end date to go beyond the CA validity end date, and setting it to false will cause it not to go beyond the CA validity end date, but either way the parameter does not cause the renewal request to be rejected.

The rejection is actually caused by cert validity calculation bug as described in in PKI ticket #1682 (https://fedorahosted.org/pki/ticket/1682).

Comment 14 Endi Sukma Dewata 2016-01-26 18:06:48 UTC
Created attachment 1118564 [details]
pki-core-Fixed-mismatching-certificate-validity-calculation.patch

The problem has been fixed in master:
* 9193fe5191d1bd857b7e1f5a398c6a279b42ec84

Comment 15 Endi Sukma Dewata 2016-01-26 18:15:33 UTC
Steps to verify:

1. Change the system date such that the CA certificate validity starts in standard time and ends in daylight saving time, for example:

$ timedatectl set-time 2015-10-26

2. Install IPA and verify the CA cert validity starts in standard time and ends in daylight saving time, for example:

$ pki cert-find
  Serial Number: 0x1
  Subject DN: CN=CA Signing Certificate,O=EXAMPLE
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Mon Oct 26 00:02:38 CET 2015
  Not Valid After: Fri Oct 26 01:02:38 CEST 2035
  Issued On: Mon Oct 26 00:02:38 CET 2015
  Issued By: system

3. Request a new CA certificate (or request a renewal), for example:

$ pki -c Secret123 client-init
$ pki -c Secret123 client-cert-request "cn=Certificate Authority" --profile caCACert

The "Request Status" should now show "pending" instead of "rejected".

Comment 19 Matthew Harmsen 2016-02-04 01:29:16 UTC
Comment on attachment 1118564 [details]
pki-core-Fixed-mismatching-certificate-validity-calculation.patch

(1) Setup RHEL 7.2 VM, installed IPA, and ran procedure in Comment #15;
    received 'Request Status: rejected'.
(2) Updated pki packages that had been built with this patch, and re-ran
    'pki -c Secret123 client-cert-request "cn=Certificate Authority" --profile
     caCACert':

-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 12
  Type: enrollment
  Request Status: pending
  Operation Result: success

Comment 20 Matthew Harmsen 2016-02-04 01:37:19 UTC
pki-core-Fixed-mismatching-certificate-validity-calculation.patch:


Since this particular ticket is for RHEL 7.3 (awaiting a request for the RHEL 7.2 Z-Stream ticket), I checked and pushed this patch into the RHEL 7.3 Brew branch (but did not build since RHEL 7.3 will be based upon Dogtag 10.3 rather than 10.2.5) to allow this bug to be moved to MODIFIED:


commit 198b10b9eb3eb72f80fc7dd523ed74ef1303d4f5
Author: Matthew Harmsen <mharmsen>
Date:   Wed Feb 3 18:34:47 2016 -0700

    Resolves: rhbz #1277691
    
    - Bugzilla Bug #1277691 - ipa-cacert-manage renew failed with validity
      out of range [edewata]

Comment 22 Matthew Harmsen 2016-02-20 00:37:43 UTC
Pushed to DOGTAG_10_2_RHEL_BRANCH:

commit 66c2a8d2b0d953b6dcec2a8ccefff689277cea2f
Author: Endi S. Dewata <edewata>
Date:   Sun Dec 20 21:46:56 2015 +0100

    Fixed mismatching certificate validity calculation.
    
    The CAValidityDefault has been modified to use Calendar API to
    calculate the certificate validity range to be consistent with
    the ValidityConstraint and ValidityDefault.
    
    https://fedorahosted.org/pki/ticket/1682
    (cherry picked from commit 05ee3265165f93b357ed17b47fe3f62f9b67ae8b)

NOTE:  This patch is also contained in the 'master', and will be overwritten
       when the re-base to 10.3.0 is performed.

Comment 23 Matthew Harmsen 2016-03-29 21:15:17 UTC
(In reply to Matthew Harmsen from comment #20)
> pki-core-Fixed-mismatching-certificate-validity-calculation.patch:
> 
> 
> Since this particular ticket is for RHEL 7.3 (awaiting a request for the
> RHEL 7.2 Z-Stream ticket), I checked and pushed this patch into the RHEL 7.3
> Brew branch (but did not build since RHEL 7.3 will be based upon Dogtag 10.3
> rather than 10.2.5) to allow this bug to be moved to MODIFIED:
> 
> 
> commit 198b10b9eb3eb72f80fc7dd523ed74ef1303d4f5
> Author: Matthew Harmsen <mharmsen>
> Date:   Wed Feb 3 18:34:47 2016 -0700
> 
>     Resolves: rhbz #1277691
>     
>     - Bugzilla Bug #1277691 - ipa-cacert-manage renew failed with validity
>       out of range [edewata]

Moving back from MODIFIED --> POST

Comment 25 Xiyang Dong 2016-09-20 13:44:20 UTC
Verified on pki-ca-10.3.3-10.el7 ,ipa-server-4.4.0-11.el7 :
[root@cloud-qe-14 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20160919154756':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:36 UTC
Request ID '20160919154757':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:34 UTC
Request ID '20160919154758':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:35 UTC
Request ID '20160919154759':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2036-09-19 15:47:31 UTC
Request ID '20160919154800':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:53 UTC
Request ID '20160919154801':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:35 UTC
Request ID '20160919154815':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2018-09-20 15:48:15 UTC
Request ID '20160919154837':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2018-09-20 15:48:37 UTC

[root@cloud-qe-14 ~]# date -s "710 day"
Fri Aug 31 09:40:04 EDT 2018
[root@cloud-qe-14 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
You have new mail in /var/spool/mail/root
[root@cloud-qe-14 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20160919154756':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:27 UTC
Request ID '20160919154757':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:17 UTC
Request ID '20160919154758':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:57 UTC
Request ID '20160919154759':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2038-08-31 13:40:18 UTC
Request ID '20160919154800':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:37 UTC
Request ID '20160919154801':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:14 UTC
Request ID '20160919154815':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2020-08-31 13:40:35 UTC
Request ID '20160919154837':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2020-08-31 13:40:25 UTC

[root@cloud-qe-14 ~]# cat /var/log/pki/pki-tomcat/ca/debug | grep "Validity Out of Range"
[root@cloud-qe-14 ~]#

Comment 27 errata-xmlrpc 2016-11-04 05:20:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Comment 28 Red Hat Bugzilla 2023-09-14 03:12:22 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.