Bug 1277696 - IPA certificate auto renewal fail with "Invalid Credential"
Summary: IPA certificate auto renewal fail with "Invalid Credential"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 1283882
TreeView+ depends on / blocked
 
Reported: 2015-11-03 20:52 UTC by Xiyang Dong
Modified: 2016-11-04 05:39 UTC (History)
11 users (show)

Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1283882 (view as bug list)
Environment:
Last Closed: 2016-11-04 05:39:36 UTC
Target Upstream Version:

Attachments (Terms of Use)
full test output (42.57 KB, text/plain)
2015-11-03 20:54 UTC, Xiyang Dong 		no flags Details
console.log (16.95 KB, text/plain)
2016-08-09 09:03 UTC, Abhijeet Kasurde 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Xiyang Dong 2015-11-03 20:52:03 UTC 
Description of problem:
IPA certificate auto renewal fail with "Invalid Credential" when jumping time forward upon renewal. 

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15
pki-ca-10.2.5-6
certmonger-0.78.4-1

How reproducible:
Always

Steps to Reproduce:
1.ipa server installed
2.Check certs' expirations
3.Change date to within 4 weeks of sonnest to expire date
4.Wait until certs get renewed
5.Repeat multiple times.

Actual results:
Renewal fail with "Invalid Credential" and become unreachable

Expected results:
Auto renew successfully

Additional info:
.
.
.
[root@idm-qe-02 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151102005609':
        status: MONITORING
        subject: CN=CA Audit,O=TESTRELM.TEST
        expires: 2029-07-21 03:54:57 UTC
Request ID '20151102005610':
        status: MONITORING
        subject: CN=OCSP Subsystem,O=TESTRELM.TEST
        expires: 2029-07-21 03:54:07 UTC
Request ID '20151102005611':
        status: MONITORING
        subject: CN=CA Subsystem,O=TESTRELM.TEST
        expires: 2029-07-21 03:53:47 UTC
Request ID '20151102005612':
        status: MONITORING
        subject: CN=Certificate Authority,O=TESTRELM.TEST
        expires: 2035-11-02 00:55:48 UTC
Request ID '20151102005613':
        status: MONITORING
        subject: CN=IPA RA,O=TESTRELM.TEST
        expires: 2029-07-21 03:53:36 UTC
Request ID '20151102005614':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2029-07-21 03:53:45 UTC
Request ID '20151102005622':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2029-08-01 03:53:26 UTC
Request ID '20151102005640':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2029-08-01 03:53:16 UTC
[root@idm-qe-02 ~]# date
Sat Jul 31 23:58:16 EDT 2027
[root@idm-qe-02 ~]# date -s "715 days"
Sun Jul 15 23:58:24 EDT 2029
[root@idm-qe-02 ~]# sleep 180
[root@idm-qe-02 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20151102005609':
        status: MONITORING
        subject: CN=CA Audit,O=TESTRELM.TEST
        expires: 2031-07-06 04:00:01 UTC
Request ID '20151102005610':
        status: MONITORING
        subject: CN=OCSP Subsystem,O=TESTRELM.TEST
        expires: 2031-07-06 03:59:33 UTC
Request ID '20151102005611':
        status: MONITORING
        ca-error: Server at "https://idm-qe-02.testrelm.test:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential.
        subject: CN=CA Subsystem,O=TESTRELM.TEST
        expires: 2029-07-21 03:53:47 UTC
Request ID '20151102005612':
        status: MONITORING
        subject: CN=Certificate Authority,O=TESTRELM.TEST
        expires: 2035-11-02 00:55:48 UTC
Request ID '20151102005613':
        status: MONITORING
        subject: CN=IPA RA,O=TESTRELM.TEST
        expires: 2031-07-06 03:59:52 UTC
Request ID '20151102005614':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2031-07-06 03:59:00 UTC
Request ID '20151102005622':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2031-07-17 03:58:51 UTC
Request ID '20151102005640':
        status: MONITORING
        subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST
        expires: 2031-07-17 03:58:43 UTC
.
.
.

Attached full test output.


Also a workaround knowledgebase: https://access.redhat.com/solutions/1490603
Comment 1 Xiyang Dong 2015-11-03 20:54:33 UTC 
Created attachment 1089216 [details]
full test output
Comment 3 Jan Cholasta 2015-11-09 09:16:41 UTC 
When ipaCert is being renewed, there is a small window of time where the certificate in the people entry in Dogtag is inconsistent with the certificate in /etc/httpd/alias. If any certificate request is submitted during the window, it will cause the reported error. To fix this, we need to make sure ipaCert renewal is atomic.
Comment 4 Jan Cholasta 2015-11-09 09:21:03 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5436
Comment 6 Jan Cholasta 2015-11-19 12:06:44 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f3076c6ab37e081ba9b0ec9f0502379f60dfbd10
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/f831cb6a3da0c5f2a3e71004ae327273b25723fa
Comment 11 Abhijeet Kasurde 2016-08-09 08:58:14 UTC 
Verified using IPA build ::

ipa-server-4.4.0-5.el7.x86_64

Attaching console.log. 

While verifying, found another error. For this error, I have filed BZ 1286651.
Comment 12 Abhijeet Kasurde 2016-08-09 09:03:17 UTC 
Created attachment 1189157 [details]
console.log
Comment 14 errata-xmlrpc 2016-11-04 05:39:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.