Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1660877

Summary: kinit is failing due to overflow in Root CA certificate's timestamp
Product: Red Hat Enterprise Linux 8 Reporter: Mohammad Rizwan <myusuf>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: abokovoy, cheimes, ftweedal, ksiddiqu, mpolovka, myusuf, pasik, pvoborni, rcritten, rharwood, ssidhaye, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.1-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:47:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mohammad Rizwan 2018-12-19 13:31:00 UTC 
Description of problem:
kinit is failing due to overflow in Root CA certificate's timestamp


How reproducible:
always

Steps to Reproduce:
1. execute ipa-autorenewcert bash testsuite

Actual results:
kinit is failing when system date approach 2038 (cert issued in Dec - 2018)

Expected results:
kinit success

Additional info:
Comment 3 Alexander Bokovoy 2019-01-07 14:20:39 UTC 
I added a link to https://pagure.io/freeipa/issue/7827 FreeIPA issue to cap the root CA lifetime before we get to fix all issues.
Comment 5 Fraser Tweedale 2019-01-10 10:58:02 UTC 
Mohammad,

Where can I see the test output and/or the details of the ipa-autorenewcert program?

Can you please clarify the issue:  does it occur *now*, when the the CA certificate has a >=Y2038
expiry, or does it occur only when the system time is >=Y2038 (i.e. system time has been advanced
to trigger renewal)?
Comment 6 Mohammad Rizwan 2019-01-10 11:14:44 UTC 
It occur when system date goes to 2038.
Comment 9 Christian Heimes 2019-10-01 11:13:06 UTC 
Is MIT KRB5's pkinit implementation Y2038 safe?
Comment 10 Robbie Harwood 2019-10-02 16:29:49 UTC 
> Is MIT KRB5's pkinit implementation Y2038 safe?

We think the krb5 tree is y2038 safe (though note that the IPA KDB isn't).  I don't know of a reason why our pkinit wouldn't be - we're mostly relying on openssl and opensc-pkcs11.
Comment 15 Alexander Bokovoy 2021-01-28 06:34:51 UTC 
This should be addressed with FreeIPA 4.9.0 by upstream commit 18721cc83035359a2f7d49cfe09e7f4b1376b090
Comment 25 Michal Polovka 2021-02-02 12:28:25 UTC 
Verified using ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 in RHEL8.4 nightly build.

local:  100605052034
soonest:  2034-10-13 01:05:12
latest:  2041-02-02 15:05:42
resubmit:  0
certs:  {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585541'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585515'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585524'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585534'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2167585514'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2168535930'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2168535917'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2168535910'}}
current:  2036-09-18 14:05:00
local:  091814052036
soonest:  2036-09-25 10:05:10
latest:  2041-02-02 15:05:42
resubmit:  0
certs:  {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221112'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221174'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221144'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221134'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2229221114'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2230171589'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2230171524'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2230171507'}}
current:  2038-09-01 23:05:00
local:  090123052038
soonest:  2038-09-08 19:05:14
latest:  2041-02-02 15:05:42
resubmit:  0
certs:  {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2243430342'}}
current:  2040-08-15 08:05:00
local:  081508052040
soonest:  2040-08-22 04:05:12
latest:  2041-02-02 15:05:42
resubmit:  0
certs:  {'20210202100657': {'nickname': '20210202100657', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501510'}, '20210202100702': {'nickname': '20210202100702', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501534'}, '20210202100705': {'nickname': '20210202100705', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501564'}, '20210202100706': {'nickname': '20210202100706', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501604'}, '20210202100707': {'nickname': '20210202100707', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2874013524'}, '20210202100708': {'nickname': '20210202100708', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2305501565'}, '20210202100714': {'nickname': '20210202100714', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2306451916'}, '20210202100755': {'nickname': '20210202100755', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2306451913'}, '20210202100805': {'nickname': '20210202100805', 'status': 'MONITORING', 'ca-error': 'None', 'not-valid-after': '2306451906'}}
current:  2041-01-31 20:05:00
local:  013120052041
soonest:  2041-02-02 15:05:42
latest:  2041-02-02 15:05:42
resubmit:  0

Full test log is an attachment of this BZ. The log shows expected failure, as the test code was not adjusted in the time of verification.
Comment 28 errata-xmlrpc 2021-05-18 15:47:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846