Bug 1277696 - IPA certificate auto renewal fail with "Invalid Credential"
IPA certificate auto renewal fail with "Invalid Credential"
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: ZStream
Depends On:
Blocks: 1283882
  Show dependency treegraph
 
Reported: 2015-11-03 15:52 EST by Xiyang Dong
Modified: 2016-11-04 01:39 EDT (History)
11 users (show)

See Also:
Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1283882 (view as bug list)
Environment:
Last Closed: 2016-11-04 01:39:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
full test output (42.57 KB, text/plain)
2015-11-03 15:54 EST, Xiyang Dong
no flags Details
console.log (16.95 KB, text/plain)
2016-08-09 05:03 EDT, Abhijeet Kasurde
no flags Details

  None (edit)
Description Xiyang Dong 2015-11-03 15:52:03 EST
Description of problem:
IPA certificate auto renewal fail with "Invalid Credential" when jumping time forward upon renewal. 

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15
pki-ca-10.2.5-6
certmonger-0.78.4-1

How reproducible:
Always

Steps to Reproduce:
1.ipa server installed
2.Check certs' expirations
3.Change date to within 4 weeks of sonnest to expire date
4.Wait until certs get renewed
5.Repeat multiple times.

Actual results:
Renewal fail with "Invalid Credential" and become unreachable

Expected results:
Auto renew successfully

Additional info:
.
.
.
[root@idm-qe-02 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151102005609':
        status: MONITORING
        subject: CN=CA Audit,O=TESTRELM.TEST
        expires: 2029-07-21 03:54:57 UTC
Request ID '20151102005610':
        status: MONITORING
        subject: CN=OCSP Subsystem,O=TESTRELM.TEST
        expires: 2029-07-21 03:54:07 UTC
Request ID '20151102005611':
        status: MONITORING
        subject: CN=CA Subsystem,O=TESTRELM.TEST
        expires: 2029-07-21 03:53:47 UTC
Request ID '20151102005612':
        status: MONITORING
        subject: CN=Certificate Authority,O=TESTRELM.TEST
        expires: 2035-11-02 00:55:48 UTC
Request ID '20151102005613':
        status: MONITORING
        subject: CN=IPA RA,O=TESTRELM.TEST
        expires: 2029-07-21 03:53:36 UTC
Request ID '20151102005614':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2029-07-21 03:53:45 UTC
Request ID '20151102005622':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2029-08-01 03:53:26 UTC
Request ID '20151102005640':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2029-08-01 03:53:16 UTC
[root@idm-qe-02 ~]# date
Sat Jul 31 23:58:16 EDT 2027
[root@idm-qe-02 ~]# date -s "715 days"
Sun Jul 15 23:58:24 EDT 2029
[root@idm-qe-02 ~]# sleep 180
[root@idm-qe-02 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151102005609':
        status: MONITORING
        subject: CN=CA Audit,O=TESTRELM.TEST
        expires: 2031-07-06 04:00:01 UTC
Request ID '20151102005610':
        status: MONITORING
        subject: CN=OCSP Subsystem,O=TESTRELM.TEST
        expires: 2031-07-06 03:59:33 UTC
Request ID '20151102005611':
        status: MONITORING
        ca-error: Server at "https://idm-qe-02.testrelm.test:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential.
        subject: CN=CA Subsystem,O=TESTRELM.TEST
        expires: 2029-07-21 03:53:47 UTC
Request ID '20151102005612':
        status: MONITORING
        subject: CN=Certificate Authority,O=TESTRELM.TEST
        expires: 2035-11-02 00:55:48 UTC
Request ID '20151102005613':
        status: MONITORING
        subject: CN=IPA RA,O=TESTRELM.TEST
        expires: 2031-07-06 03:59:52 UTC
Request ID '20151102005614':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2031-07-06 03:59:00 UTC
Request ID '20151102005622':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2031-07-17 03:58:51 UTC
Request ID '20151102005640':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2031-07-17 03:58:43 UTC
.
.
.

Attached full test output.


Also a workaround knowledgebase: https://access.redhat.com/solutions/1490603
Comment 1 Xiyang Dong 2015-11-03 15:54 EST
Created attachment 1089216 [details]
full test output
Comment 3 Jan Cholasta 2015-11-09 04:16:41 EST
When ipaCert is being renewed, there is a small window of time where the certificate in the people entry in Dogtag is inconsistent with the certificate in /etc/httpd/alias. If any certificate request is submitted during the window, it will cause the reported error. To fix this, we need to make sure ipaCert renewal is atomic.
Comment 4 Jan Cholasta 2015-11-09 04:21:03 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5436
Comment 11 Abhijeet Kasurde 2016-08-09 04:58:14 EDT
Verified using IPA build ::

ipa-server-4.4.0-5.el7.x86_64

Attaching console.log. 

While verifying, found another error. For this error, I have filed BZ 1286651.
Comment 12 Abhijeet Kasurde 2016-08-09 05:03 EDT
Created attachment 1189157 [details]
console.log
Comment 14 errata-xmlrpc 2016-11-04 01:39:36 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.