Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1493541 - ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.
Summary: ipa-pkinit-manage reports a switch from local pkinit to full pkinit configura...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1658313 1659511
TreeView+ depends on / blocked
 
Reported: 2017-09-20 12:41 UTC by Thorsten Scherf
Modified: 2020-12-14 10:09 UTC (History)
8 users (show)

Fixed In Version: ipa-4.6.5-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1658313 1659511 (view as bug list)
Environment:
Last Closed: 2019-08-06 13:09:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2241 0 None None None 2019-08-06 13:09:26 UTC

Description Thorsten Scherf 2017-09-20 12:41:23 UTC
Description of problem:
When you switch from local pkinit to full pkinit with an IPA CA signed CA certificate, the tool ipa-pkinit-manage says it was successful, even though no IPA CA signed KDC cert has been requested:

# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful

# ipa-pkinit-manage --verbose enable
ipa.ipaserver.install.ipa_pkinit_manage.PKINITManage: DEBUG: Not logging to a file
ipa: DEBUG: importing all plugin modules in ipaserver.plugins...
ipa: DEBUG: importing plugin module ipaserver.plugins.aci
ipa: DEBUG: importing plugin module ipaserver.plugins.automember
ipa: DEBUG: importing plugin module ipaserver.plugins.automount
ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipa: DEBUG: importing plugin module ipaserver.plugins.batch
ipa: DEBUG: importing plugin module ipaserver.plugins.ca
ipa: DEBUG: importing plugin module ipaserver.plugins.caacl
ipa: DEBUG: importing plugin module ipaserver.plugins.cert
ipa: DEBUG: importing plugin module ipaserver.plugins.certmap
ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipa: DEBUG: importing plugin module ipaserver.plugins.config
ipa: DEBUG: importing plugin module ipaserver.plugins.delegation
ipa: DEBUG: importing plugin module ipaserver.plugins.dns
ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipa: DEBUG: importing plugin module ipaserver.plugins.group
ipa: DEBUG: importing plugin module ipaserver.plugins.hbac
ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipa: DEBUG: importing plugin module ipaserver.plugins.host
ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.idrange
ipa: DEBUG: importing plugin module ipaserver.plugins.idviews
ipa: DEBUG: importing plugin module ipaserver.plugins.internal
ipa: DEBUG: importing plugin module ipaserver.plugins.join
ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipa: DEBUG: importing plugin module ipaserver.plugins.location
ipa: DEBUG: importing plugin module ipaserver.plugins.migration
ipa: DEBUG: importing plugin module ipaserver.plugins.misc
ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.otp
ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipa: DEBUG: importing plugin module ipaserver.plugins.passwd
ipa: DEBUG: importing plugin module ipaserver.plugins.permission
ipa: DEBUG: importing plugin module ipaserver.plugins.ping
ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipa: DEBUG: importing plugin module ipaserver.plugins.privilege
ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipa: DEBUG: importing plugin module ipaserver.plugins.rabase
ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipa: DEBUG: importing plugin module ipaserver.plugins.role
ipa: DEBUG: importing plugin module ipaserver.plugins.schema
ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipa: DEBUG: importing plugin module ipaserver.plugins.server
ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipa: DEBUG: importing plugin module ipaserver.plugins.service
ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipa: DEBUG: importing plugin module ipaserver.plugins.session
ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipa: DEBUG: importing plugin module ipaserver.plugins.sudo
ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipa: DEBUG: importing plugin module ipaserver.plugins.topology
ipa: DEBUG: importing plugin module ipaserver.plugins.trust
ipa: DEBUG: importing plugin module ipaserver.plugins.user
ipa: DEBUG: importing plugin module ipaserver.plugins.vault
ipa: DEBUG: importing plugin module ipaserver.plugins.virtual
ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.whoami
ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_56421648
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw: ca_is_enabled(version=u'2.228')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: ca_is_enabled(version=u'2.228')
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x53d9b00>
ipa.ipaserver.plugins.config.config_show: DEBUG: raw: config_show(version=u'2.228')
ipa.ipaserver.plugins.config.config_show: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.228')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw: ca_is_enabled(version=u'2.228')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: ca_is_enabled(version=u'2.228')
ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa: DEBUG: Configuring Kerberos KDC (krb5kdc)
Configuring Kerberos KDC (krb5kdc)
ipa: DEBUG:   [1/1]: installing X509 Certificate for PKINIT
  [1/1]: installing X509 Certificate for PKINIT
ipa: DEBUG: certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipa: DEBUG: service KDC has all config values set
ipa: DEBUG:   duration: 5 seconds
ipa: DEBUG: Done configuring Kerberos KDC (krb5kdc).
Done configuring Kerberos KDC (krb5kdc).
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/bin/systemctl restart krb5kdc.service
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/bin/systemctl is-active krb5kdc.service
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active
ipa: DEBUG: stderr=
ipa: DEBUG: service KDC: config string pkinitEnabled already set
ipa: DEBUG: service KDC has already enabled config values ['pkinitEnabled']
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_56421648
ipa.ipaserver.install.ipa_pkinit_manage.PKINITManage: INFO: The ipa-pkinit-manage command was successful


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7_4.1.2.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
No new certificate signed by the IPA CA has been requested.

Expected results:
Either the tool should report and error that requesting an IPA CA signed certificate failed or is not possible, or a new CSR should be generated to request an IPA CA signed certificate for the IPA KDC.

Additional info:

Comment 2 Petr Vobornik 2017-10-13 16:39:27 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7200

Comment 8 Florence Blanc-Renaud 2019-01-16 13:50:56 UTC
Upstream test added: ipatests/test_integration/test_pkinit_manage.py

Comment 10 Sumedh Sidhaye 2019-05-15 10:32:08 UTC
Build used for verification:

[root@idm-qe-01 ~]# rpm -qa ipa-server ipa-server-dns
ipa-server-4.6.5-8.el7.x86_64
ipa-server-dns-4.6.5-8.el7.noarch


Steps:
1. Install master with --no-pkinit option
2. ipa-getcert list
3. ipa-pkinit-manage status
4. ipa-pkinit-manage --verbose enable
5. ipa-getcert list
6. ipa-pkinit-manage status


Actual Results:



root@idm-qe-01 ~]# ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20190515100056':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:00:56 UTC
	dns: master.testrelm.test
	principal name: ldap/master.testrelm.test@TESTRELM.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST
	track: yes
	auto-renew: yes
Request ID '20190515100128':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:01:29 UTC
	dns: master.testrelm.test
	principal name: HTTP/master.testrelm.test@TESTRELM.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
[root@idm-qe-01 ~]# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
[root@idm-qe-01 ~]# ipa-pkinit-manage --verbose enable
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac
ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp
ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase
ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo
ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual
ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipalib.backend: DEBUG: Created connection context.ldap2_140508947101264
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.231')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.231')
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fcac94db6c8>
ipalib.frontend: DEBUG: raw: config_show(version=u'2.231')
ipalib.frontend: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.231')
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.231')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.231')
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.service: DEBUG: Configuring Kerberos KDC (krb5kdc)
Configuring Kerberos KDC (krb5kdc)
ipaserver.install.service: DEBUG:   [1/1]: installing X509 Certificate for PKINIT
  [1/1]: installing X509 Certificate for PKINIT
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipalib.install.certmonger: DEBUG: Cert request 20190515100659 was successful
ipaserver.install.service: DEBUG: service KDC has all config values set
ipaserver.install.service: DEBUG:   duration: 5 seconds
ipaserver.install.service: DEBUG: Done configuring Kerberos KDC (krb5kdc).
Done configuring Kerberos KDC (krb5kdc).
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart krb5kdc.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active krb5kdc.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipaplatform.base.services: DEBUG: Restart of krb5kdc.service complete
ipaserver.install.service: DEBUG: service KDC: config string pkinitEnabled already set
ipaserver.install.service: DEBUG: service KDC has already enabled config values ['pkinitEnabled']
ipalib.backend: DEBUG: Destroyed connection context.ldap2_140508947101264
ipapython.admintool: INFO: The ipa-pkinit-manage command was successful
[root@idm-qe-01 ~]# ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20190515100056':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:00:56 UTC
	dns: master.testrelm.test
	principal name: ldap/master.testrelm.test@TESTRELM.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST
	track: yes
	auto-renew: yes
Request ID '20190515100128':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:01:29 UTC
	dns: master.testrelm.test
	principal name: HTTP/master.testrelm.test@TESTRELM.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20190515100659':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:06:59 UTC
	principal name: krbtgt/TESTRELM.TEST@TESTRELM.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-pkinit-KPKdc
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
	track: yes
	auto-renew: yes
[root@idm-qe-01 ~]# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
[root@idm-qe-01 ~]#


Based on above observations marking bugzilla as verified.

Comment 13 errata-xmlrpc 2019-08-06 13:09:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241


Note You need to log in before you can comment on or make changes to this bug.