Bug 1277691 - ipa-cacert-manage renew failed with validity out of range [NEEDINFO]
ipa-cacert-manage renew failed with validity out of range
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.2
Unspecified Unspecified
medium Severity medium
: rc
: 7.3
Assigned To: Endi Sukma Dewata
Asha Akkiangady
: TestBlocker, ZStream
Depends On:
Blocks: 1308854 1310200
  Show dependency treegraph
 
Reported: 2015-11-03 15:28 EST by Xiyang Dong
Modified: 2016-11-04 01:20 EDT (History)
15 users (show)

See Also:
Fixed In Version: pki-core-10.3.1-1.el7
Doc Type: Bug Fix
Doc Text:
The certificate validity was calculated incorrectly in case of a daylight saving time change in the validity period. Consequently, the "ipa-cacert-manage renew" command could fail with a validity error. With this update, the CA Validity Default has been modified to use Calendar API, which calculates the certificate validity range consistently with the Validity Constraint and Validity Default. As a result, a CA certificate is successfully renewed in this scenario.
Story Points: ---
Clone Of:
: 1308854 1310200 (view as bug list)
Environment:
Last Closed: 2016-11-04 01:20:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mkolaja: needinfo? (snagar)


Attachments (Terms of Use)
pki-core-Fixed-mismatching-certificate-validity-calculation.patch (7.53 KB, patch)
2016-01-26 13:06 EST, Endi Sukma Dewata
mharmsen: review+
Details | Diff

  None (edit)
Description Xiyang Dong 2015-11-03 15:28:31 EST
Description of problem:
ipa-cacert-manage renew failed with validity out of range

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15
pki-ca-10.2.5-6

How reproducible:
Always

Steps to Reproduce:
1.ipa server installed
2.manually renew CA cert 

Actual results:
[root@amd-pike-05 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151103191745':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:22 UTC
Request ID '20151103191746':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:20 UTC
Request ID '20151103191747':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191748':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2035-11-03 19:17:17 UTC
Request ID '20151103191749':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:42 UTC
Request ID '20151103191750':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191801':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-03 18:18:01 UTC
Request ID '20151103191823':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-03 18:18:23 UTC
[root@amd-pike-05 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20151103191748', please check the request manually

[root@amd-pike-05 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151103191745':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:22 UTC
Request ID '20151103191746':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:20 UTC
Request ID '20151103191747':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191748':
	status: MONITORING
	ca-error: Server at "http://amd-pike-05.testrelm.test:8080/ca/ee/ca/profileSubmit" replied: Request Rejected - {0}
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2035-11-03 19:17:17 UTC
Request ID '20151103191749':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:42 UTC
Request ID '20151103191750':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191801':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-03 18:18:01 UTC
Request ID '20151103191823':
	status: MONITORING
	subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
	expires: 2017-11-03 18:18:23 UTC

[root@amd-pike-05 ~]# less /var/log/pki/pki-tomcat/ca/debug
.
.
.

[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: validate start
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: not before: Tue Nov 03 14:47:33 EST 2015
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: not after: Sat Nov 03 15:47:33 EDT 2035
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: range: 7305
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: range unit: day
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: limit: Sat Nov 03 14:47:33 EDT 2035
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: CertRequestSubmitter: submit Validity Out of Range: Sat Nov 03 15:47:33 EDT 2035 is after Sat Nov 03 14:47:33 EDT 2035
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$NonRoleUser$][Outcome=Failure][ReqID=11][InfoName=rejectReason][InfoValue=Request Rejected - Validity Out of Range: Sat Nov 03 15:47:33 EDT 2035 is after Sat Nov 03 14:47:33 EDT 2035] certificate request processed

Expected results:

CA cert gets renewed sucessfully


Additional info:
Comment 4 Martin Kosek 2015-11-06 12:22:24 EST
Needs to be first investigated within "ipa" component.
Comment 5 Endi Sukma Dewata 2015-11-06 12:37:44 EST
This might be caused by mismatching time zones (i.e. EST vs. EDT) in the certificate validity range. Please try the workaround mentioned in this ticket:
https://fedorahosted.org/pki/ticket/1682

If it fixes the problem, please assign the ticket back to pki-core. Thanks.
Comment 6 Jan Cholasta 2015-11-09 02:24:55 EST
I was not able to reproduce this with:

certmonger-0.78.4-1.el7.x86_64
ipa-server-4.2.0-15.el7.x86_64
pki-ca-10.2.5-6.el7.noarch

My guess is that this was caused by DST.

For the record, IPA explicitly requests the validity not to be checked on the CA certificate by setting bypassCAnotafter=true in the certificate request approval options.
Comment 7 Martin Kosek 2015-11-09 04:23:23 EST
Waiting on reporter's reply, when Comment 5 is confirmed.
Comment 8 Xiyang Dong 2015-11-09 11:12:17 EST
I don't have access to the machine I tested on anymore since it's returned to beaker.
When I get a new machine, timezone is EST and ipa-cacert-manage renew works.
IS there any way I can change to EDT and try the workaround?
Comment 9 Jan Cholasta 2015-11-10 06:41:00 EST
I can see in /var/log/pki/pki-tomcat/ca/debug on my system that the bypassCAvalidity=true option is properly passed to the CA, which means it should not check the validity, so this is not a IPA bug.

Changing the component back to pki-core.
Comment 10 Christina Fu 2016-01-06 16:49:02 EST
where was the bypassCAnotafter=true set?
Is this the same issue reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1150031 ?
If so, please look in the bug for workaround on how to set 
bypassCAnotafter=true properly.

The time zone issue is separate though.
Comment 11 Matthew Harmsen 2016-01-06 20:27:54 EST
Per discussions in the RHEL 7.3 Triage meeting of 01/06/2016: priority medium
Comment 12 Matthew Harmsen 2016-01-06 20:32:13 EST
Upstream ticket:
https://fedorahosted.org/pki/ticket/1721
Comment 13 Endi Sukma Dewata 2016-01-26 13:01:20 EST
Setting bypassCAnotafter to true will allow the new cert validity end date to go beyond the CA validity end date, and setting it to false will cause it not to go beyond the CA validity end date, but either way the parameter does not cause the renewal request to be rejected.

The rejection is actually caused by cert validity calculation bug as described in in PKI ticket #1682 (https://fedorahosted.org/pki/ticket/1682).
Comment 14 Endi Sukma Dewata 2016-01-26 13:06 EST
Created attachment 1118564 [details]
pki-core-Fixed-mismatching-certificate-validity-calculation.patch

The problem has been fixed in master:
* 9193fe5191d1bd857b7e1f5a398c6a279b42ec84
Comment 15 Endi Sukma Dewata 2016-01-26 13:15:33 EST
Steps to verify:

1. Change the system date such that the CA certificate validity starts in standard time and ends in daylight saving time, for example:

$ timedatectl set-time 2015-10-26

2. Install IPA and verify the CA cert validity starts in standard time and ends in daylight saving time, for example:

$ pki cert-find
  Serial Number: 0x1
  Subject DN: CN=CA Signing Certificate,O=EXAMPLE
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Mon Oct 26 00:02:38 CET 2015
  Not Valid After: Fri Oct 26 01:02:38 CEST 2035
  Issued On: Mon Oct 26 00:02:38 CET 2015
  Issued By: system

3. Request a new CA certificate (or request a renewal), for example:

$ pki -c Secret123 client-init
$ pki -c Secret123 client-cert-request "cn=Certificate Authority" --profile caCACert

The "Request Status" should now show "pending" instead of "rejected".
Comment 19 Matthew Harmsen 2016-02-03 20:29:16 EST
Comment on attachment 1118564 [details]
pki-core-Fixed-mismatching-certificate-validity-calculation.patch

(1) Setup RHEL 7.2 VM, installed IPA, and ran procedure in Comment #15;
    received 'Request Status: rejected'.
(2) Updated pki packages that had been built with this patch, and re-ran
    'pki -c Secret123 client-cert-request "cn=Certificate Authority" --profile
     caCACert':

-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 12
  Type: enrollment
  Request Status: pending
  Operation Result: success
Comment 20 Matthew Harmsen 2016-02-03 20:37:19 EST
pki-core-Fixed-mismatching-certificate-validity-calculation.patch:


Since this particular ticket is for RHEL 7.3 (awaiting a request for the RHEL 7.2 Z-Stream ticket), I checked and pushed this patch into the RHEL 7.3 Brew branch (but did not build since RHEL 7.3 will be based upon Dogtag 10.3 rather than 10.2.5) to allow this bug to be moved to MODIFIED:


commit 198b10b9eb3eb72f80fc7dd523ed74ef1303d4f5
Author: Matthew Harmsen <mharmsen@redhat.com>
Date:   Wed Feb 3 18:34:47 2016 -0700

    Resolves: rhbz #1277691
    
    - Bugzilla Bug #1277691 - ipa-cacert-manage renew failed with validity
      out of range [edewata]
Comment 22 Matthew Harmsen 2016-02-19 19:37:43 EST
Pushed to DOGTAG_10_2_RHEL_BRANCH:

commit 66c2a8d2b0d953b6dcec2a8ccefff689277cea2f
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Sun Dec 20 21:46:56 2015 +0100

    Fixed mismatching certificate validity calculation.
    
    The CAValidityDefault has been modified to use Calendar API to
    calculate the certificate validity range to be consistent with
    the ValidityConstraint and ValidityDefault.
    
    https://fedorahosted.org/pki/ticket/1682
    (cherry picked from commit 05ee3265165f93b357ed17b47fe3f62f9b67ae8b)

NOTE:  This patch is also contained in the 'master', and will be overwritten
       when the re-base to 10.3.0 is performed.
Comment 23 Matthew Harmsen 2016-03-29 17:15:17 EDT
(In reply to Matthew Harmsen from comment #20)
> pki-core-Fixed-mismatching-certificate-validity-calculation.patch:
> 
> 
> Since this particular ticket is for RHEL 7.3 (awaiting a request for the
> RHEL 7.2 Z-Stream ticket), I checked and pushed this patch into the RHEL 7.3
> Brew branch (but did not build since RHEL 7.3 will be based upon Dogtag 10.3
> rather than 10.2.5) to allow this bug to be moved to MODIFIED:
> 
> 
> commit 198b10b9eb3eb72f80fc7dd523ed74ef1303d4f5
> Author: Matthew Harmsen <mharmsen@redhat.com>
> Date:   Wed Feb 3 18:34:47 2016 -0700
> 
>     Resolves: rhbz #1277691
>     
>     - Bugzilla Bug #1277691 - ipa-cacert-manage renew failed with validity
>       out of range [edewata]

Moving back from MODIFIED --> POST
Comment 25 Xiyang Dong 2016-09-20 09:44:20 EDT
Verified on pki-ca-10.3.3-10.el7 ,ipa-server-4.4.0-11.el7 :
[root@cloud-qe-14 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20160919154756':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:36 UTC
Request ID '20160919154757':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:34 UTC
Request ID '20160919154758':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:35 UTC
Request ID '20160919154759':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2036-09-19 15:47:31 UTC
Request ID '20160919154800':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:53 UTC
Request ID '20160919154801':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2018-09-09 15:47:35 UTC
Request ID '20160919154815':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2018-09-20 15:48:15 UTC
Request ID '20160919154837':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2018-09-20 15:48:37 UTC

[root@cloud-qe-14 ~]# date -s "710 day"
Fri Aug 31 09:40:04 EDT 2018
[root@cloud-qe-14 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
You have new mail in /var/spool/mail/root
[root@cloud-qe-14 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20160919154756':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:27 UTC
Request ID '20160919154757':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:17 UTC
Request ID '20160919154758':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:57 UTC
Request ID '20160919154759':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2038-08-31 13:40:18 UTC
Request ID '20160919154800':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:37 UTC
Request ID '20160919154801':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2020-08-20 13:40:14 UTC
Request ID '20160919154815':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2020-08-31 13:40:35 UTC
Request ID '20160919154837':
	status: MONITORING
	subject: CN=cloud-qe-14.testrelm.test,O=TESTRELM.TEST
	expires: 2020-08-31 13:40:25 UTC

[root@cloud-qe-14 ~]# cat /var/log/pki/pki-tomcat/ca/debug | grep "Validity Out of Range"
[root@cloud-qe-14 ~]#
Comment 27 errata-xmlrpc 2016-11-04 01:20:08 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Note You need to log in before you can comment on or make changes to this bug.