1660877 – kinit is failing due to overflow in Root CA certificate's timestamp

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1660877 - kinit is failing due to overflow in Root CA certificate's timestamp

Summary: kinit is failing due to overflow in Root CA certificate's timestamp

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-19 13:31 UTC by Mohammad Rizwan
Modified:	2021-05-18 15:48 UTC (History)
CC List:	12 users (show)
Fixed In Version:	ipa-4.9.1-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:47:45 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 7827	0	None	None	None	2019-01-07 14:19:59 UTC

Description Mohammad Rizwan 2018-12-19 13:31:00 UTC

Description of problem:
kinit is failing due to overflow in Root CA certificate's timestamp


How reproducible:
always

Steps to Reproduce:
1. execute ipa-autorenewcert bash testsuite

Actual results:
kinit is failing when system date approach 2038 (cert issued in Dec - 2018)

Expected results:
kinit success

Additional info:

Comment 3 Alexander Bokovoy 2019-01-07 14:20:39 UTC

I added a link to https://pagure.io/freeipa/issue/7827 FreeIPA issue to cap the root CA lifetime before we get to fix all issues.

Comment 5 Fraser Tweedale 2019-01-10 10:58:02 UTC

Mohammad,

Where can I see the test output and/or the details of the ipa-autorenewcert program?

Can you please clarify the issue:  does it occur *now*, when the the CA certificate has a >=Y2038
expiry, or does it occur only when the system time is >=Y2038 (i.e. system time has been advanced
to trigger renewal)?

Comment 6 Mohammad Rizwan 2019-01-10 11:14:44 UTC

It occur when system date goes to 2038.

Comment 9 Christian Heimes 2019-10-01 11:13:06 UTC

Is MIT KRB5's pkinit implementation Y2038 safe?

Comment 10 Robbie Harwood 2019-10-02 16:29:49 UTC

> Is MIT KRB5's pkinit implementation Y2038 safe?

We think the krb5 tree is y2038 safe (though note that the IPA KDB isn't).  I don't know of a reason why our pkinit wouldn't be - we're mostly relying on openssl and opensc-pkcs11.

Comment 15 Alexander Bokovoy 2021-01-28 06:34:51 UTC

This should be addressed with FreeIPA 4.9.0 by upstream commit 18721cc83035359a2f7d49cfe09e7f4b1376b090

Comment 25 Michal Polovka 2021-02-02 12:28:25 UTC

Verified using ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 in RHEL8.4 nightly build.

local:  100605052034
soonest:  2034-10-13 01:05:12
latest:  2041-02-02 15:05:42
resubmit:  0
certs:  {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585541'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585515'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585524'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585534'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585514'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2168535930'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2168535917'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2168535910'}}
current:  2036-09-18 14:05:00
local:  091814052036
soonest:  2036-09-25 10:05:10
latest:  2041-02-02 15:05:42
resubmit:  0
certs:  {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221112'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221174'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221144'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221134'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221114'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2230171589'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2230171524'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2230171507'}}
current:  2038-09-01 23:05:00
local:  090123052038
soonest:  2038-09-08 19:05:14
latest:  2041-02-02 15:05:42
resubmit:  0
certs:  {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}}
current:  2040-08-15 08:05:00
local:  081508052040
soonest:  2040-08-22 04:05:12
latest:  2041-02-02 15:05:42
resubmit:  0
certs:  {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501510'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501534'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501564'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501604'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2874013524'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501565'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2306451916'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2306451913'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2306451906'}}
current:  2041-01-31 20:05:00
local:  013120052041
soonest:  2041-02-02 15:05:42
latest:  2041-02-02 15:05:42
resubmit:  0

Full test log is an attachment of this BZ. The log shows expected failure, as the test code was not adjusted in the time of verification.

Comment 28 errata-xmlrpc 2021-05-18 15:47:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846

Note You need to log in before you can comment on or make changes to this bug.