Bug 1283882 - IPA certificate auto renewal fail with "Invalid Credential"
IPA certificate auto renewal fail with "Invalid Credential"
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: ZStream
Depends On: 1277696
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-20 02:37 EST by Jan Kurik
Modified: 2015-12-08 05:36 EST (History)
13 users (show)

See Also:
Fixed In Version: ipa-4.2.0-15.el7_2.1
Doc Type: Bug Fix
Doc Text:
During the renewal of the IdM RA agent certificate, the renewed certificate was already available for use, but the related configuration was not updated yet. As a consequence, if the renewal of another certificate was triggered during the renewal of the IdM RA agent certificate, the renewal could fail with the "Invalid credential" error. Now, the IdM RA agent certificate is properly locked for the whole duration of the renewal.
Story Points: ---
Clone Of: 1277696
Environment:
Last Closed: 2015-12-08 05:36:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Kurik 2015-11-20 02:37:30 EST
This bug has been copied from bug #1277696 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 4 Xiyang Dong 2015-11-25 12:03:09 EST
I have tried 10 times, all Still see the below error every time:
[root@72z ~]# rpm -q ipa-server
ipa-server-4.2.0-15.el7_2.3.x86_64

.
.
.
[root@72z ~]# date -s "718 days";sleep 240;getcert list | egrep "status|expires|Request|subject|ca-error"
Thu Oct 31 12:28:54 EDT 2019
Request ID '20151125155206':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2021-10-20 16:31:02 UTC
Request ID '20151125155208':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2021-10-20 16:30:12 UTC
Request ID '20151125155209':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2021-10-20 16:30:22 UTC
Request ID '20151125155211':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2035-11-25 15:50:59 UTC
Request ID '20151125155212':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2021-10-20 16:31:21 UTC
Request ID '20151125155213':
	status: MONITORING
	subject: CN=72z.testrelm.test,O=TESTRELM.TEST
	expires: 2021-10-20 16:29:18 UTC
Request ID '20151125155341':
	status: MONITORING
	subject: CN=72z.testrelm.test,O=TESTRELM.TEST
	expires: 2021-10-31 16:30:32 UTC
Request ID '20151125161205':
	status: MONITORING
	subject: CN=72z.testrelm.test,O=TESTRELM.TEST
	expires: 2021-10-31 16:29:03 UTC
[root@72z ~]# date -s "719 days";sleep 240;getcert list | egrep "status|expires|Request|subject|ca-error"
Tue Oct 19 12:42:29 EDT 2021
Request ID '20151125155206':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2023-10-09 16:44:45 UTC
Request ID '20151125155208':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2023-10-09 16:45:05 UTC
Request ID '20151125155209':
	status: POST_SAVED_CERT
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2023-10-09 16:45:56 UTC
Request ID '20151125155211':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2035-11-25 15:50:59 UTC
Request ID '20151125155212':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2023-10-09 16:43:56 UTC
Request ID '20151125155213':
	status: MONITORING
	subject: CN=72z.testrelm.test,O=TESTRELM.TEST
	expires: 2023-10-09 16:43:01 UTC
Request ID '20151125155341':
	status: MONITORING
	subject: CN=72z.testrelm.test,O=TESTRELM.TEST
	expires: 2023-10-20 16:42:37 UTC
Request ID '20151125161205':
	status: CA_UNREACHABLE
	ca-error: Server at https://72z.testrelm.test/ipa/xml failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https://72z.testrelm.test:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
	subject: CN=72z.testrelm.test,O=TESTRELM.TEST
	expires: 2021-10-31 16:29:03 UTC
Comment 5 Xiyang Dong 2015-11-25 12:04:08 EST
Steps to Reproduce:
1.ipa server installed
2.Check certs' expirations
3.Change date to within 4 weeks of sonnest to expire date
4.Wait until certs get renewed
5.Repeat multiple times.
Comment 6 Jan Cholasta 2015-11-26 02:15:07 EST
You move system time forward by too much. The algorithm that works for me is:
1. find the soonest expiring certificate
2. move system time forward to 3 weeks before the certificate expires
3. repeat

Let me know if that fixed it for you.
Comment 7 Martin Kosek 2015-11-26 06:33:35 EST
Given Comment 6, moving back to ON_QA.
Comment 12 errata-xmlrpc 2015-12-08 05:36:52 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2562.html

Note You need to log in before you can comment on or make changes to this bug.