Hide Forgot
Description of problem: IPA certificate auto renewal fail with "Invalid Credential" when jumping time forward upon renewal. Version-Release number of selected component (if applicable): ipa-server-4.2.0-15 pki-ca-10.2.5-6 certmonger-0.78.4-1 How reproducible: Always Steps to Reproduce: 1.ipa server installed 2.Check certs' expirations 3.Change date to within 4 weeks of sonnest to expire date 4.Wait until certs get renewed 5.Repeat multiple times. Actual results: Renewal fail with "Invalid Credential" and become unreachable Expected results: Auto renew successfully Additional info: . . . [root@idm-qe-02 ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20151102005609': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2029-07-21 03:54:57 UTC Request ID '20151102005610': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2029-07-21 03:54:07 UTC Request ID '20151102005611': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2029-07-21 03:53:47 UTC Request ID '20151102005612': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2035-11-02 00:55:48 UTC Request ID '20151102005613': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2029-07-21 03:53:36 UTC Request ID '20151102005614': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2029-07-21 03:53:45 UTC Request ID '20151102005622': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2029-08-01 03:53:26 UTC Request ID '20151102005640': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2029-08-01 03:53:16 UTC [root@idm-qe-02 ~]# date Sat Jul 31 23:58:16 EDT 2027 [root@idm-qe-02 ~]# date -s "715 days" Sun Jul 15 23:58:24 EDT 2029 [root@idm-qe-02 ~]# sleep 180 [root@idm-qe-02 ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20151102005609': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2031-07-06 04:00:01 UTC Request ID '20151102005610': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2031-07-06 03:59:33 UTC Request ID '20151102005611': status: MONITORING ca-error: Server at "https://idm-qe-02.testrelm.test:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2029-07-21 03:53:47 UTC Request ID '20151102005612': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2035-11-02 00:55:48 UTC Request ID '20151102005613': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2031-07-06 03:59:52 UTC Request ID '20151102005614': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2031-07-06 03:59:00 UTC Request ID '20151102005622': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2031-07-17 03:58:51 UTC Request ID '20151102005640': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2031-07-17 03:58:43 UTC . . . Attached full test output. Also a workaround knowledgebase: https://access.redhat.com/solutions/1490603
Created attachment 1089216 [details] full test output
When ipaCert is being renewed, there is a small window of time where the certificate in the people entry in Dogtag is inconsistent with the certificate in /etc/httpd/alias. If any certificate request is submitted during the window, it will cause the reported error. To fix this, we need to make sure ipaCert renewal is atomic.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5436
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f3076c6ab37e081ba9b0ec9f0502379f60dfbd10 ipa-4-2: https://fedorahosted.org/freeipa/changeset/f831cb6a3da0c5f2a3e71004ae327273b25723fa
Verified using IPA build :: ipa-server-4.4.0-5.el7.x86_64 Attaching console.log. While verifying, found another error. For this error, I have filed BZ 1286651.
Created attachment 1189157 [details] console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html