1623113 – Replica install: certmonger sometimes fails

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1623113 - Replica install: certmonger sometimes fails

Summary: Replica install: certmonger sometimes fails

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1623668
TreeView+	depends on / blocked

Reported:	2018-08-28 13:47 UTC by Florence Blanc-Renaud
Modified:	2021-09-09 15:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-4.6.4-7.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1623668 (view as bug list)
Environment:
Last Closed:	2018-10-30 11:00:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3187	0	None	None	None	2018-10-30 11:01:37 UTC

Description Florence Blanc-Renaud 2018-08-28 13:47:11 UTC

Cloned from upstream: https://pagure.io/freeipa/issue/7623

### Issue

During parallel replica installation, a certmonger request sometimes fails with CA_REJECTED or CA_UNREACHABLE. The error occur when the master is either busy or some information haven't been replicated yet. Even a stuck request can be recovered, e.g. when permission and group
information have been replicated.

#### Steps to Reproduce
Install 3 or more replicas simultaneously

#### Actual behavior
In some cases, a cert request fails

```
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 556, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 546, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 836, in __enable_ssl
    post_command=cmd)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 317, in request_and_wait_for_cert
    raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
```
or

```
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 556, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 546, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 836, in __enable_ssl
    post_command=cmd)
  File "/usr/lib/python2.7/site-packages/ipalib/install/certmonger.py", line 317, in request_and_wait_for_cert
    raise RuntimeError("Certificate issuance failed ({})".format(state))
RuntimeError: Certificate issuance failed (CA_REJECTED)
```

#### Expected behavior
No error from certmonger


#### Additional info:

In all cases, I was able to get a new cert by resubmitting a certmonger requests.

Comment 2 Florence Blanc-Renaud 2018-08-28 14:44:20 UTC

Partially fixed upstream
master:
    1fa2a7c Auto-retry failed certmonger requests
    2b669c5 Wait for client certificates

ipa-4-6:
    ab8a739 Auto-retry failed certmonger requests
    bde0b51 Wait for client certificates

ipa-4-5:
    ec60901 replicainstall: DS SSL replica install pick right certmonger host
    5ef8333 Fix race condition in get_locations_records()
    a9cc862 Tune DS replication settings
    79fe981 Auto-retry failed certmonger requests
    f3dd0cb Wait for client certificates

Comment 4 Florence Blanc-Renaud 2018-08-29 11:36:41 UTC

The remaining part will be handled in a separate issue. Moving to POST

Comment 7 Nikhil Dehadrai 2018-09-06 07:46:44 UTC

ipa-server-version: ipa-server-4.6.4-8.el7.x86_64

Verified the bug with following observations:
1. Setup IPA-Master
2. Install 3 or more replicas simultaneously ( In my case I installed 5 replicas in parallel / simultaneously)
3. Run following command on REPLICA
# grep -rn "CA_REJECTED\|CA_UNREACHABLE\|RuntimeError" /var/log/ipareplica-install.log

4. Try creating a new cert request on any replica

Observations:
1. While replica installation is in progress noticed message across all replicas:
 
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server

For above issue BZ1623486, is already logged.

2. After step2, replica installation is successful on all the systems.
3. After step 3, following error message is received (RPC failed at server.  an internal error has occurred).), these errors are observed due to step1 and it will be tracked in separate bug BZ1623486

Console:
While Configuring Kerberos KDC (krb5kdc) Step, following message is received:
  [1/1]: installing X509 Certificate for PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds



replica-install.log:
------------------------
2018-09-06T07:22:29Z DEBUG Configuring Kerberos KDC (krb5kdc)
2018-09-06T07:22:29Z DEBUG   [1/1]: installing X509 Certificate for PKINIT
2018-09-06T07:22:29Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_KEYINFO', variant_level=1)
2018-09-06T07:22:34Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2018-09-06T07:22:39Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2018-09-06T07:22:44Z DEBUG certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
2018-09-06T07:22:49Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:22:49Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:22:49Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:22:59Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:23:04Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:23:04Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:23:04Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:23:15Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:23:20Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:23:20Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:23:20Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:23:30Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:23:35Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:23:35Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:23:35Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:23:45Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:23:50Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:23:50Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:23:50Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:24:00Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:24:05Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:24:05Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:24:05Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:24:15Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:24:20Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:24:20Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:24:20Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:24:30Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:24:35Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:24:35Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:24:35Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:24:45Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:24:50Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:24:50Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:24:50Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:25:00Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:25:05Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:25:05Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:25:05Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:25:15Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:25:20Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:25:20Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:25:20Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:25:30Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:25:35Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:25:35Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:25:35Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:25:45Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:25:50Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:25:50Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:25:50Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:26:00Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:26:06Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:26:06Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:26:06Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:26:16Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:26:21Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:26:21Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:26:21Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:26:31Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:26:36Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:26:36Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:26:36Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:26:46Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:26:51Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:26:51Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:26:51Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:27:01Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:27:06Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:27:06Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:27:06Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:27:16Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:27:21Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:27:21Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:27:21Z DEBUG Sleep and resubmit cert request 20180906072229
2018-09-06T07:27:31Z DEBUG certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
2018-09-06T07:27:36Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
2018-09-06T07:27:36Z DEBUG Cert request 20180906072229 failed: CA_REJECTED (Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:27:36Z DEBUG Request 20180906072229 reached resubmit dead line
2018-09-06T07:27:36Z WARNING PKINIT certificate request failed: Certificate issuance failed (CA_REJECTED: Server at https://vm-idm-006.testrelm.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Host 'vm-idm-006.testrelm.test' is not an active KDC).)
2018-09-06T07:27:36Z WARNING Failed to configure PKINIT
2018-09-06T07:27:36Z DEBUG Full PKINIT configuration did not succeed
2018-09-06T07:27:36Z DEBUG The setup will only install bits essential to the server functionality
2018-09-06T07:27:36Z DEBUG You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
2018-09-06T07:27:36Z DEBUG certmonger request is in state dbus.String(u'NEWLY_ADDED_READING_CERT', variant_level=1)
2018-09-06T07:27:41Z DEBUG certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
2018-09-06T07:27:41Z DEBUG Cert request 20180906072736 was successful
2018-09-06T07:27:41Z DEBUG   duration: 312 seconds
2018-09-06T07:27:41Z DEBUG Done configuring Kerberos KDC (krb5kdc).
2018-09-06T07:27:41Z DEBUG Starting external process
2018-09-06T07:27:41Z DEBUG args=/bin/systemctl restart krb5kdc.service
2018-09-06T07:27:41Z DEBUG Process finished, return code=0
2018-09-06T07:27:41Z DEBUG stdout=
2018-09-06T07:27:41Z DEBUG stderr=
2018-09-06T07:27:41Z DEBUG Starting external process
2018-09-06T07:27:41Z DEBUG args=/bin/systemctl is-active krb5kdc.service
2018-09-06T07:27:41Z DEBUG Process finished, return code=0
2018-09-06T07:27:41Z DEBUG stdout=active

2018-09-06T07:27:41Z DEBUG stderr=
2018-09-06T07:27:41Z DEBUG Restart of krb5kdc.service complete
2018-09-06T07:27:41Z DEBUG Applying LDAP updates
2018-09-06T07:27:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2018-09-06T07:27:41Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2018-09-06T07:27:41Z DEBUG Starting external process
2018-09-06T07:27:41Z DEBUG args=/bin/systemctl is-active dirsrv
2018-09-06T07:27:41Z DEBUG Process finished, return code=0
2018-09-06T07:27:41Z DEBUG stdout=active

2018-09-06T07:27:41Z DEBUG stderr=
2018-09-06T07:27:41Z DEBUG Upgrading IPA:. Estimated time: 1 minute 30 seconds
2018-09-06T07:27:41Z DEBUG   [1/10]: stopping directory server


4. After step4, Creation of new certs results in MONITORING status.

#REPLICA
[root@vm-idm-006 ~]# kinit admin
Password for admin: 
[root@vm-idm-006 ~]# rpm -q ipa-server
ipa-server-4.6.4-8.el7.x86_64
[root@vm-idm-006 ~]# tail -1 /var/log/ipareplica-install.log 
2018-09-06T07:30:02Z INFO The ipa-replica-install command was successful
[root@vm-idm-006 ~]# ipa dnsrecord-add testrelm.test aaa --a-rec 192.168.0.102;
  Record name: aaa
  A record: 192.168.0.102
[root@vm-idm-006 ~]# ipa host-add aaa.testrelm.test;
------------------------------
Added host "aaa.testrelm.test"
------------------------------
  Host name: aaa.testrelm.test
  Principal name: host/aaa.testrelm.test
  Principal alias: host/aaa.testrelm.test
  Password: False
  Keytab: False
  Managed by: aaa.testrelm.test
[root@vm-idm-006 ~]# hostname;
vm-idm-006.testrelm.test
[root@vm-idm-006 ~]# ipa service-add HTTP/aaa.testrelm.test;
----------------------------------------------------
Added service "HTTP/aaa.testrelm.test"
----------------------------------------------------
  Principal name: HTTP/aaa.testrelm.test
  Principal alias: HTTP/aaa.testrelm.test
  Managed by: aaa.testrelm.test
[root@vm-idm-006 ~]# ipa service-add-host --hosts=`hostname` HTTP/aaa.testrelm.test;
  Principal name: HTTP/aaa.testrelm.test
  Principal alias: HTTP/aaa.testrelm.test
  Managed by: aaa.testrelm.test, vm-idm-006.testrelm.test
-------------------------
Number of members added 1
-------------------------
[root@vm-idm-006 ~]# ipa-getcert request -r -f /etc/pki/tls/certs/aaa.testrelm.test.crt -k /etc/pki/tls/private/aaa.testrelm.test.key -N CN=aaa.testrelm.test -D aaa.testrelm.test -K HTTP/aaa.testrelm.test;
New signing request "20180906073901" added.
[root@vm-idm-006 ~]# ipa-getcert list
Number of certificates and requests being tracked: 10.
Request ID '20180906071619':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TESTRELM-TEST/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTRELM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=vm-idm-006.testrelm.test,O=TESTRELM.TEST
	expires: 2020-09-06 07:16:21 UTC
	dns: vm-idm-006.testrelm.test
	principal name: ldap/vm-idm-006.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TESTRELM-TEST
	track: yes
	auto-renew: yes
Request ID '20180906071646':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=vm-idm-006.testrelm.test,O=TESTRELM.TEST
	expires: 2020-09-06 07:16:47 UTC
	dns: vm-idm-006.testrelm.test
	principal name: HTTP/vm-idm-006.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20180906073901':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/aaa.testrelm.test.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/aaa.testrelm.test.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=TESTRELM.TEST
	subject: CN=aaa.testrelm.test,O=TESTRELM.TEST
	expires: 2020-09-06 07:39:04 UTC
	dns: aaa.testrelm.test
	principal name: HTTP/aaa.testrelm.test
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Thus on the basis of above observation, marking the status of bug to 'VERIFIED'

Comment 9 errata-xmlrpc 2018-10-30 11:00:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187

Note You need to log in before you can comment on or make changes to this bug.