Bug 1286651 - IPA certificate auto renewal fail with SSL_ERROR_EXPIRED_CERT_ALERT [NEEDINFO]
IPA certificate auto renewal fail with SSL_ERROR_EXPIRED_CERT_ALERT
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Petr Vobornik
ipa-qe
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-30 07:10 EST by Abhijeet Kasurde
Modified: 2017-12-12 12:32 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-12 12:32:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
pvoborni: needinfo? (akasurde)


Attachments (Terms of Use)
getcert_console.log (17.81 KB, text/plain)
2015-11-30 07:10 EST, Abhijeet Kasurde
no flags Details
PKI_CA_LOG (664.76 KB, application/x-gzip)
2015-11-30 07:10 EST, Abhijeet Kasurde
no flags Details
console.log (7.08 KB, text/plain)
2017-04-07 02:23 EDT, Abhijeet Kasurde
no flags Details

  None (edit)
Description Abhijeet Kasurde 2015-11-30 07:10:03 EST
Created attachment 1100493 [details]
getcert_console.log

Description of problem:
While verifying BZ1277696 encountered following error 

[root@dhcp201-135 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"

<snip>
Request ID '20151130092850':
	status: CA_UNREACHABLE
	ca-error: Server at https://dhcp201-135.testrelm.test/ipa/xml failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https://dhcp201-135.testrelm.test:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
	subject: CN=dhcp201-135.testrelm.test,O=TESTRELM.TEST
	expires: 2025-09-07 11:07:45 UTC

</snip>

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.3.x86_64


Steps to Reproduce:
1. Install IPA server
2. Change system date closer to expire date 
3. check "getcert list" output
Comment 1 Abhijeet Kasurde 2015-11-30 07:10 EST
Created attachment 1100494 [details]
PKI_CA_LOG
Comment 2 Petr Vobornik 2015-12-07 16:52:59 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5522
Comment 3 Petr Vobornik 2017-04-06 12:39:12 EDT
I'm considering to close this bug. Is it still present?
Comment 4 Abhijeet Kasurde 2017-04-07 02:21:44 EDT
(In reply to Petr Vobornik from comment #3)
> I'm considering to close this bug. Is it still present?

I am able reproduce this issue on IPA version :: ipa-server-4.5.0-5.el7.x86_64


Please find the attachment for console.log.
Comment 5 Abhijeet Kasurde 2017-04-07 02:23 EDT
Created attachment 1269572 [details]
console.log

Note You need to log in before you can comment on or make changes to this bug.