1515503 – IPA certificate auto renewal failed at unable to connect to LDAP server with authentication failure

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1515503 - IPA certificate auto renewal failed at unable to connect to LDAP server with authentication failure

Summary: IPA certificate auto renewal failed at unable to connect to LDAP server with ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1481388
Blocks:	1486552
TreeView+	depends on / blocked

Reported:	2017-11-20 23:04 UTC by Xiyang Dong
Modified:	2017-11-23 03:00 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1481388
Environment:
Last Closed:	2017-11-23 03:00:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 1 Xiyang Dong 2017-11-20 23:18:17 UTC

I am able to reproduce this same issue again on 7.5:
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.5 Beta (Maipo)
# rpm -qa ipa-server certmonger selinux-policy
certmonger-0.78.4-3.el7.x86_64
ipa-server-4.5.4-4.el7.x86_64
selinux-policy-3.13.1-179.el7.noarch
# kinit admin
Password for admin:
# ipa cert-show 1
  Issuing CA: ipa
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcxMTIwMjEzMzAyWhcNMzcxMTIwMjEzMzAyWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7p2zoyKS1SMDdMgas6VrsQnrP4zNv6OGBHlqMMAmHBHGs6Z7oOnQo+L8ar+tY/TiEiq4KlF3U4W6nEFLuTJnwiKI6u3fkBlQ2cPz/stBaWKbQR2EczhiON3e6UEmpJ9LSbAXyz1Xcq/8GikEa9DtvucxBhDGbhsWqBwPVLGx1fqBe3UJhe9jZ0TvkC+SxzRp525h6pVTpXUJ0yM2zG/EgBKHmQJxRZKP81T/NCAtLh05Z1eu9JQiRLjMzadsYExQox0DtscmSVmiz1GZWSHxu9sQYD8FCbRZEAFOJREFcOXs1Gv+98PKwNpsKRFOqqCtViGF+C1Iz0qFNY+ktvHXfAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUhzGTYAMRZpnGnf0fLdDweRhdssQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFIcxk2ADEWaZxp39Hy3Q8HkYXbLEMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAG5+t5sWtLwCD/BPmcuhqR7B+eh/OEFJiOzDaNfgpu3nlbKaQmIbF8h4GIl5fgpUSY1IEIhuS8MW1blb/nzU2rhVWrFhaw7y59lzYQU8tGsAwM7rXGavVR9CXoYJoSq4bZAa8KPPLyyHo8RKN+moXIL4sQaFPHcOQ1oqHb9nqTlHAFyJ7MyUPXHp2DQ+e1fvcbN4YhjJpjkvvMYAa/QUPjdc+mKFVB3cvssBQaT5OWuU2fqLJtuhEsJa03V86Jt9BPWSE4jeiWfYHFIOpJ9nz5lkZEi/n/t5fX58qJUVSjoMtnjLOh+xjV9kU+yFRTCUJWrV/JlQ5EnE8ZVvm6RRyLc=
  Subject: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Mon Nov 20 21:33:02 2017 UTC
  Not After: Fri Nov 20 21:33:02 2037 UTC
  Serial number: 1
  Serial number (hex): 0x1
  Revoked: False
# date
Mon Nov 20 17:32:15 EST 2017
[root@qe-blade-08 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20171120213331':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:32 UTC
Request ID '20171120213356':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:05 UTC
Request ID '20171120213357':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:04 UTC
Request ID '20171120213358':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:04 UTC
Request ID '20171120213359':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2037-11-20 21:33:02 UTC
Request ID '20171120213400':
	status: MONITORING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:04 UTC
Request ID '20171120213421':
	status: MONITORING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2019-11-21 21:34:22 UTC
Request ID '20171120213513':
	status: MONITORING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2019-11-21 21:35:14 UTC
Request ID '20171120213523':
	status: MONITORING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2019-11-21 21:35:23 UTC
[root@qe-blade-08 ~]# date -s "715 days";sleep 300
Tue Nov  5 17:32:32 EST 2019
[root@qe-blade-08 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20171120213331':
	status: SUBMITTING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:32 UTC
Request ID '20171120213356':
	status: SUBMITTING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:05 UTC
Request ID '20171120213357':
	status: SUBMITTING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:04 UTC
Request ID '20171120213358':
	status: SUBMITTING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:04 UTC
Request ID '20171120213359':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2037-11-20 21:33:02 UTC
Request ID '20171120213400':
	status: SUBMITTING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:04 UTC
Request ID '20171120213421':
	status: SUBMITTING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2019-11-21 21:34:22 UTC
Request ID '20171120213513':
	status: SUBMITTING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2019-11-21 21:35:14 UTC
Request ID '20171120213523':
	status: SUBMITTING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2019-11-21 21:35:23 UTC
# kinit admin
Password for admin: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@qe-blade-08 ~]# date
Tue Nov  5 17:44:59 EST 2019
[root@qe-blade-08 ~]# ipa cert-show 1
  Issuing CA: ipa
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcxMTIwMjEzMzAyWhcNMzcxMTIwMjEzMzAyWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7p2zoyKS1SMDdMgas6VrsQnrP4zNv6OGBHlqMMAmHBHGs6Z7oOnQo+L8ar+tY/TiEiq4KlF3U4W6nEFLuTJnwiKI6u3fkBlQ2cPz/stBaWKbQR2EczhiON3e6UEmpJ9LSbAXyz1Xcq/8GikEa9DtvucxBhDGbhsWqBwPVLGx1fqBe3UJhe9jZ0TvkC+SxzRp525h6pVTpXUJ0yM2zG/EgBKHmQJxRZKP81T/NCAtLh05Z1eu9JQiRLjMzadsYExQox0DtscmSVmiz1GZWSHxu9sQYD8FCbRZEAFOJREFcOXs1Gv+98PKwNpsKRFOqqCtViGF+C1Iz0qFNY+ktvHXfAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUhzGTYAMRZpnGnf0fLdDweRhdssQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFIcxk2ADEWaZxp39Hy3Q8HkYXbLEMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAG5+t5sWtLwCD/BPmcuhqR7B+eh/OEFJiOzDaNfgpu3nlbKaQmIbF8h4GIl5fgpUSY1IEIhuS8MW1blb/nzU2rhVWrFhaw7y59lzYQU8tGsAwM7rXGavVR9CXoYJoSq4bZAa8KPPLyyHo8RKN+moXIL4sQaFPHcOQ1oqHb9nqTlHAFyJ7MyUPXHp2DQ+e1fvcbN4YhjJpjkvvMYAa/QUPjdc+mKFVB3cvssBQaT5OWuU2fqLJtuhEsJa03V86Jt9BPWSE4jeiWfYHFIOpJ9nz5lkZEi/n/t5fX58qJUVSjoMtnjLOh+xjV9kU+yFRTCUJWrV/JlQ5EnE8ZVvm6RRyLc=
  Subject: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Mon Nov 20 21:33:02 2017 UTC
  Not After: Fri Nov 20 21:33:02 2037 UTC
  Serial number: 1
  Serial number (hex): 0x1
  Revoked: False
[root@qe-blade-08 ~]# date -s "715 days";sleep 300
Wed Oct 20 18:45:20 EDT 2021
[root@qe-blade-08 ~]# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20171120213331':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://qe-blade-08.testrelm.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2021-10-25 21:44:30 UTC
Request ID '20171120213356':
	status: MONITORING
	ca-error: Server at "http://qe-blade-08.testrelm.test:8080/ca/ee/ca/profileSubmit" replied: Failed to connect LDAP server Could not connect to LDAP server host qe-blade-08.testrelm.test port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2021-10-25 21:44:50 UTC
Request ID '20171120213357':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://qe-blade-08.testrelm.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:04 UTC
Request ID '20171120213358':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://qe-blade-08.testrelm.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:04 UTC
Request ID '20171120213359':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2037-11-20 21:33:02 UTC
Request ID '20171120213400':
	status: CA_UNREACHABLE
	ca-error: Error 60 connecting to https://qe-blade-08.testrelm.test:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2019-11-10 21:33:04 UTC
Request ID '20171120213421':
	status: MONITORING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2023-10-21 22:45:32 UTC
Request ID '20171120213513':
	status: CA_UNREACHABLE
	ca-error: Server at https://qe-blade-08.testrelm.test/ipa/xml failed request, will retry: 4016 (RPC failed at server.  Failed to authenticate to CA REST API).
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2021-11-05 21:44:16 UTC
Request ID '20171120213523':
	status: MONITORING
	subject: CN=qe-blade-08.testrelm.test,O=TESTRELM.TEST
	expires: 2023-10-21 22:45:22 UTC
[root@qe-blade-08 ~]# kinit admin
Password for admin: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@qe-blade-08 ~]# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)

Comment 4 Rob Crittenden 2017-11-20 23:47:22 UTC

I'm not seeing any AVCs in my reproduction, are you?

Comment 5 Xiyang Dong 2017-11-21 01:38:30 UTC

Don't see any AVCs either on my end.

Comment 6 Lukas Slebodnik 2017-11-21 06:59:36 UTC

(In reply to Xiyang Dong from comment #5)
> Don't see any AVCs either on my end.

Does it work in permissive mode?
If no then there is a regression in IPA and not in SELinux policy.

Comment 7 Xiyang Dong 2017-11-23 03:00:27 UTC

It turns out the renew time took longer than 300s , I moved the time forward while some of the cert were still in submitting status.
By giving enough time for the autorenew, it worked without any error.
Close as not a bug

Note You need to log in before you can comment on or make changes to this bug.