RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1601959 - IPA certificate auto renewal failed at CA_UNREACHABLE
Summary: IPA certificate auto renewal failed at CA_UNREACHABLE
Keywords:
Status: CLOSED DUPLICATE of bug 1596161
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-17 14:42 UTC by Xiyang Dong
Modified: 2018-07-17 15:09 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-17 15:09:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
/var/log/audit/audit.log (944.13 KB, text/plain)
2018-07-17 14:51 UTC, Xiyang Dong 		no flags Details
/var/log/pki/pki-tomcat/ca/debug (7.31 MB, text/plain)
2018-07-17 14:52 UTC, Xiyang Dong 		no flags Details
/var/log/messages (459.35 KB, text/plain)
2018-07-17 14:53 UTC, Xiyang Dong 		no flags Details
audit2why (181.73 KB, text/plain)
2018-07-17 14:54 UTC, Xiyang Dong 		no flags Details
ausearch (4.91 KB, text/x-vhdl)
2018-07-17 14:54 UTC, Xiyang Dong 		no flags Details
View All

Description Xiyang Dong 2018-07-17 14:42:24 UTC 
Description of problem:
IPA certificate auto renewal failed at CA_UNREACHABLE 

Version-Release number of selected component (if applicable):
# rpm -qa ipa-server certmonger selinux-policy
selinux-policy-3.13.1-207.el7.noarch
certmonger-0.78.4-6.el7.x86_64
ipa-server-4.6.4-2.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1.Install ipa sever
2.Change date to close to cert expiration
3.Sleep 15 mins
4.Check cert status

Actual results:
Autorenew cert failed at: 
	status: CA_UNREACHABLE
	ca-error: Internal error
Expected results:
Certs renewed successfully
Additional info:
# date
Tue Jul 17 10:09:49 EDT 2018
# kinit admin
Password for admin:
# ipa cert-show 1
  Issuing CA: ipa
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwNzE3MTQwNTM5WhcNMzgwNzE3MTQwNTM5WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXDeU1uGzxAbbXVW2KTGbDRm9bNChhSf7OB9qCVpdfWXAXYWcL7eHoONhaiDUS6wWEAgYMgZ7PS8KrC/IfXDmdsf2jj3nd08QhfFAZ/skC882aqCR44ej4AhU+O7Jc7o17ot+GE6hJ7HNzq4HLz7KPtIgQzsfqvEZtCoylfrH6hGfyTpq9wxDcKMk31H4Z+m53fkC+P/8zUMq4VV33ahC9tL8KZ+Va33/pWVavwkyvU9hud6JRLGqvYM/x864GKS8Zhi0/0HXHi8hadBEHKfRc047N6FllV82I44MaY7YFkMe8O+85ZPvSe/VspTHSP+IeOI3/ympPH4YmXktBERZvAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUUdKXhJI720fLsuCtfKW4ToMa8pkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFFHSl4SSO9tHy7LgrXyluE6DGvKZMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAFWE20Jgm9GD99mUPgDfYt3wbddefuGW/QtNMw6GQSg6epUJZT786oBfaHv6AeTibLivATutVoSNd2alX6vOAKirmUkeCkw6LQ9yWr57NeSCH1kQbVZS6OT8AvKViE3D6lONS1vPNHClv1El7FC46lPi0UrWEWy18s/xCrkiDCnkmwxdp3bndIvTFEMQ7WZlVIKTEG3/9syE2D7KZHHSh648I0d3pL/psr4XdWB3T9VbZituV4kdQd6koXF7z/ktiHctGizf+SaMzOrFzHtmVji9zLI6TQbEyrEA7jqaSnc6kYN0JEcHyDy9p394+WiX7QaPR6sgdxiL747wFB6Ngi0=
  Subject: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Jul 17 14:05:39 2018 UTC
  Not After: Sat Jul 17 14:05:39 2038 UTC
  Serial number: 1
  Serial number (hex): 0x1
  Revoked: False
# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20180717140559':
	status: MONITORING
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:59 UTC
Request ID '20180717140613':
	status: MONITORING
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140614':
	status: MONITORING
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140615':
	status: MONITORING
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140616':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2038-07-17 14:05:39 UTC
Request ID '20180717140617':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140631':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-17 14:06:31 UTC
Request ID '20180717140655':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-17 14:06:55 UTC
Request ID '20180717140706':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-17 14:07:07 UTC
# date -s "715 days";sleep 900;date
Wed Jul  1 10:10:29 EDT 2020
Wed Jul  1 10:25:29 EDT 2020
# getcert list | egrep "status|expires|Request|subject|ca-error"
Request ID '20180717140559':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=IPA RA,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:59 UTC
Request ID '20180717140613':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=CA Audit,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140614':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=OCSP Subsystem,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140615':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=CA Subsystem,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140616':
	status: MONITORING
	subject: CN=Certificate Authority,O=TESTRELM.TEST
	expires: 2038-07-17 14:05:39 UTC
Request ID '20180717140617':
	status: CA_UNREACHABLE
	ca-error: Internal error
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2020-07-06 14:05:39 UTC
Request ID '20180717140631':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2022-07-02 14:22:50 UTC
Request ID '20180717140655':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2022-07-02 14:22:40 UTC
Request ID '20180717140706':
	status: MONITORING
	subject: CN=host-8-249-122.testrelm.test,O=TESTRELM.TEST
	expires: 2022-07-02 14:22:30 UTC
# kinit admin
Password for admin: 
Password expired.  You must change it now.
Enter new password: 
Enter it again:
# ipa cert-show 1
  Issuing CA: ipa
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwNzE3MTQwNTM5WhcNMzgwNzE3MTQwNTM5WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXDeU1uGzxAbbXVW2KTGbDRm9bNChhSf7OB9qCVpdfWXAXYWcL7eHoONhaiDUS6wWEAgYMgZ7PS8KrC/IfXDmdsf2jj3nd08QhfFAZ/skC882aqCR44ej4AhU+O7Jc7o17ot+GE6hJ7HNzq4HLz7KPtIgQzsfqvEZtCoylfrH6hGfyTpq9wxDcKMk31H4Z+m53fkC+P/8zUMq4VV33ahC9tL8KZ+Va33/pWVavwkyvU9hud6JRLGqvYM/x864GKS8Zhi0/0HXHi8hadBEHKfRc047N6FllV82I44MaY7YFkMe8O+85ZPvSe/VspTHSP+IeOI3/ympPH4YmXktBERZvAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUUdKXhJI720fLsuCtfKW4ToMa8pkwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFFHSl4SSO9tHy7LgrXyluE6DGvKZMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAFWE20Jgm9GD99mUPgDfYt3wbddefuGW/QtNMw6GQSg6epUJZT786oBfaHv6AeTibLivATutVoSNd2alX6vOAKirmUkeCkw6LQ9yWr57NeSCH1kQbVZS6OT8AvKViE3D6lONS1vPNHClv1El7FC46lPi0UrWEWy18s/xCrkiDCnkmwxdp3bndIvTFEMQ7WZlVIKTEG3/9syE2D7KZHHSh648I0d3pL/psr4XdWB3T9VbZituV4kdQd6koXF7z/ktiHctGizf+SaMzOrFzHtmVji9zLI6TQbEyrEA7jqaSnc6kYN0JEcHyDy9p394+WiX7QaPR6sgdxiL747wFB6Ngi0=
  Subject: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Jul 17 14:05:39 2018 UTC
  Not After: Sat Jul 17 14:05:39 2038 UTC
  Serial number: 1
  Serial number (hex): 0x1
  Revoked: False
Comment 2 Xiyang Dong 2018-07-17 14:51:53 UTC 
Created attachment 1459441 [details]
/var/log/audit/audit.log
Comment 3 Xiyang Dong 2018-07-17 14:52:37 UTC 
Created attachment 1459442 [details]
/var/log/pki/pki-tomcat/ca/debug
Comment 4 Xiyang Dong 2018-07-17 14:53:09 UTC 
Created attachment 1459443 [details]
/var/log/messages
Comment 5 Xiyang Dong 2018-07-17 14:54:08 UTC 
Created attachment 1459444 [details]
audit2why
Comment 6 Xiyang Dong 2018-07-17 14:54:32 UTC 
Created attachment 1459445 [details]
ausearch
Comment 7 Rob Crittenden 2018-07-17 15:09:10 UTC 

*** This bug has been marked as a duplicate of bug 1596161 ***
Note You need to log in before you can comment on or make changes to this bug.