1493541 – ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1493541 - ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.

Summary: ipa-pkinit-manage reports a switch from local pkinit to full pkinit configura...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1658313 1659511
TreeView+	depends on / blocked

Reported:	2017-09-20 12:41 UTC by Thorsten Scherf
Modified:	2021-12-10 15:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.6.5-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1658313 1659511 (view as bug list)
Environment:
Last Closed:	2019-08-06 13:09:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7527	0	None	None	None	2021-12-10 15:30:58 UTC
Red Hat Product Errata	RHBA-2019:2241	0	None	None	None	2019-08-06 13:09:26 UTC

Description Thorsten Scherf 2017-09-20 12:41:23 UTC

Description of problem:
When you switch from local pkinit to full pkinit with an IPA CA signed CA certificate, the tool ipa-pkinit-manage says it was successful, even though no IPA CA signed KDC cert has been requested:

# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful

# ipa-pkinit-manage --verbose enable
ipa.ipaserver.install.ipa_pkinit_manage.PKINITManage: DEBUG: Not logging to a file
ipa: DEBUG: importing all plugin modules in ipaserver.plugins...
ipa: DEBUG: importing plugin module ipaserver.plugins.aci
ipa: DEBUG: importing plugin module ipaserver.plugins.automember
ipa: DEBUG: importing plugin module ipaserver.plugins.automount
ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipa: DEBUG: importing plugin module ipaserver.plugins.batch
ipa: DEBUG: importing plugin module ipaserver.plugins.ca
ipa: DEBUG: importing plugin module ipaserver.plugins.caacl
ipa: DEBUG: importing plugin module ipaserver.plugins.cert
ipa: DEBUG: importing plugin module ipaserver.plugins.certmap
ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipa: DEBUG: importing plugin module ipaserver.plugins.config
ipa: DEBUG: importing plugin module ipaserver.plugins.delegation
ipa: DEBUG: importing plugin module ipaserver.plugins.dns
ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipa: DEBUG: importing plugin module ipaserver.plugins.group
ipa: DEBUG: importing plugin module ipaserver.plugins.hbac
ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipa: DEBUG: importing plugin module ipaserver.plugins.host
ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.idrange
ipa: DEBUG: importing plugin module ipaserver.plugins.idviews
ipa: DEBUG: importing plugin module ipaserver.plugins.internal
ipa: DEBUG: importing plugin module ipaserver.plugins.join
ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipa: DEBUG: importing plugin module ipaserver.plugins.location
ipa: DEBUG: importing plugin module ipaserver.plugins.migration
ipa: DEBUG: importing plugin module ipaserver.plugins.misc
ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.otp
ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipa: DEBUG: importing plugin module ipaserver.plugins.passwd
ipa: DEBUG: importing plugin module ipaserver.plugins.permission
ipa: DEBUG: importing plugin module ipaserver.plugins.ping
ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipa: DEBUG: importing plugin module ipaserver.plugins.privilege
ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipa: DEBUG: importing plugin module ipaserver.plugins.rabase
ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipa: DEBUG: importing plugin module ipaserver.plugins.role
ipa: DEBUG: importing plugin module ipaserver.plugins.schema
ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipa: DEBUG: importing plugin module ipaserver.plugins.server
ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipa: DEBUG: importing plugin module ipaserver.plugins.service
ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipa: DEBUG: importing plugin module ipaserver.plugins.session
ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipa: DEBUG: importing plugin module ipaserver.plugins.sudo
ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipa: DEBUG: importing plugin module ipaserver.plugins.topology
ipa: DEBUG: importing plugin module ipaserver.plugins.trust
ipa: DEBUG: importing plugin module ipaserver.plugins.user
ipa: DEBUG: importing plugin module ipaserver.plugins.vault
ipa: DEBUG: importing plugin module ipaserver.plugins.virtual
ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.whoami
ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_56421648
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw: ca_is_enabled(version=u'2.228')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: ca_is_enabled(version=u'2.228')
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x53d9b00>
ipa.ipaserver.plugins.config.config_show: DEBUG: raw: config_show(version=u'2.228')
ipa.ipaserver.plugins.config.config_show: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.228')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: raw: ca_is_enabled(version=u'2.228')
ipa.ipaserver.plugins.cert.ca_is_enabled: DEBUG: ca_is_enabled(version=u'2.228')
ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa: DEBUG: Configuring Kerberos KDC (krb5kdc)
Configuring Kerberos KDC (krb5kdc)
ipa: DEBUG:   [1/1]: installing X509 Certificate for PKINIT
  [1/1]: installing X509 Certificate for PKINIT
ipa: DEBUG: certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipa: DEBUG: service KDC has all config values set
ipa: DEBUG:   duration: 5 seconds
ipa: DEBUG: Done configuring Kerberos KDC (krb5kdc).
Done configuring Kerberos KDC (krb5kdc).
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/bin/systemctl restart krb5kdc.service
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/bin/systemctl is-active krb5kdc.service
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active
ipa: DEBUG: stderr=
ipa: DEBUG: service KDC: config string pkinitEnabled already set
ipa: DEBUG: service KDC has already enabled config values ['pkinitEnabled']
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_56421648
ipa.ipaserver.install.ipa_pkinit_manage.PKINITManage: INFO: The ipa-pkinit-manage command was successful


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7_4.1.2.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
No new certificate signed by the IPA CA has been requested.

Expected results:
Either the tool should report and error that requesting an IPA CA signed certificate failed or is not possible, or a new CSR should be generated to request an IPA CA signed certificate for the IPA KDC.

Additional info:

Comment 2 Petr Vobornik 2017-10-13 16:39:27 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7200

Comment 4 Florence Blanc-Renaud 2018-12-05 10:07:00 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/52c3c908756b5af3e09e8d359d11c0279f393245
https://pagure.io/freeipa/c/a2301538370dc33797959bc1d7bab0c908fccf3e

Comment 5 Florence Blanc-Renaud 2018-12-06 10:42:01 UTC

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/940755e37b06ea95c32abd056277da19fb05ed3e
https://pagure.io/freeipa/c/ffa04a1862be198b9e1a5f6205d1ae0909ac5a4d
ipa-4-6:
https://pagure.io/freeipa/c/c5b0874a1d257a5b26e6d6f2824845ac8cf2533f
https://pagure.io/freeipa/c/7f653a02bb125f4158e104e0a7b6b192f9961d53

Comment 8 Florence Blanc-Renaud 2019-01-16 13:50:56 UTC

Upstream test added: ipatests/test_integration/test_pkinit_manage.py

Comment 10 Sumedh Sidhaye 2019-05-15 10:32:08 UTC

Build used for verification:

[root@idm-qe-01 ~]# rpm -qa ipa-server ipa-server-dns
ipa-server-4.6.5-8.el7.x86_64
ipa-server-dns-4.6.5-8.el7.noarch


Steps:
1. Install master with --no-pkinit option
2. ipa-getcert list
3. ipa-pkinit-manage status
4. ipa-pkinit-manage --verbose enable
5. ipa-getcert list
6. ipa-pkinit-manage status


Actual Results:



root@idm-qe-01 ~]# ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20190515100056':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:00:56 UTC
	dns: master.testrelm.test
	principal name: ldap/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST
	track: yes
	auto-renew: yes
Request ID '20190515100128':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:01:29 UTC
	dns: master.testrelm.test
	principal name: HTTP/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
[root@idm-qe-01 ~]# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
[root@idm-qe-01 ~]# ipa-pkinit-manage --verbose enable
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipapython.admintool: DEBUG: Not logging to a file
ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac
ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp
ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase
ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo
ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual
ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipalib.backend: DEBUG: Created connection context.ldap2_140508947101264
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.231')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.231')
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fcac94db6c8>
ipalib.frontend: DEBUG: raw: config_show(version=u'2.231')
ipalib.frontend: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.231')
ipalib.frontend: DEBUG: raw: ca_is_enabled(version=u'2.231')
ipalib.frontend: DEBUG: ca_is_enabled(version=u'2.231')
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.service: DEBUG: Configuring Kerberos KDC (krb5kdc)
Configuring Kerberos KDC (krb5kdc)
ipaserver.install.service: DEBUG:   [1/1]: installing X509 Certificate for PKINIT
  [1/1]: installing X509 Certificate for PKINIT
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipalib.install.certmonger: DEBUG: Cert request 20190515100659 was successful
ipaserver.install.service: DEBUG: service KDC has all config values set
ipaserver.install.service: DEBUG:   duration: 5 seconds
ipaserver.install.service: DEBUG: Done configuring Kerberos KDC (krb5kdc).
Done configuring Kerberos KDC (krb5kdc).
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl restart krb5kdc.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/bin/systemctl is-active krb5kdc.service
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=active

ipapython.ipautil: DEBUG: stderr=
ipaplatform.base.services: DEBUG: Restart of krb5kdc.service complete
ipaserver.install.service: DEBUG: service KDC: config string pkinitEnabled already set
ipaserver.install.service: DEBUG: service KDC has already enabled config values ['pkinitEnabled']
ipalib.backend: DEBUG: Destroyed connection context.ldap2_140508947101264
ipapython.admintool: INFO: The ipa-pkinit-manage command was successful
[root@idm-qe-01 ~]# ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20190515100056':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:00:56 UTC
	dns: master.testrelm.test
	principal name: ldap/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST
	track: yes
	auto-renew: yes
Request ID '20190515100128':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:01:29 UTC
	dns: master.testrelm.test
	principal name: HTTP/master.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20190515100659':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=master.testrelm.test,O=TESTRELM.TEST
	expires: 2021-05-15 10:06:59 UTC
	principal name: krbtgt/TESTRELM.TEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-pkinit-KPKdc
	pre-save command:
	post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
	track: yes
	auto-renew: yes
[root@idm-qe-01 ~]# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
[root@idm-qe-01 ~]#


Based on above observations marking bugzilla as verified.

Comment 13 errata-xmlrpc 2019-08-06 13:09:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241

Note You need to log in before you can comment on or make changes to this bug.