RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1669257 - [RFE] Offline Certificate Renewal System
Summary: [RFE] Offline Certificate Renewal System
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 8.0
Assignee: Dinesh Prasanth
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
: 1403016 (view as bug list)
Depends On: 1468348 1690191 1696849
Blocks: 1472344 1550132 1644708
TreeView+ depends on / blocked
 
Reported: 2019-01-24 18:53 UTC by Matthew Harmsen
Modified: 2021-07-10 14:06 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.6-820181130193715.5a87be8a
Doc Type: Enhancement
Doc Text:
.Certificate System now supports offline renewal of system certificates With this enhancement, administrators can use the offline renewal feature to renew system certificates configured in Certificate System. When a system certificate expires, Certificate System fails to start. As a result of the enhancement, administrators no longer need workarounds to replace an expired system certificate.
Clone Of: 1468348
Environment:
Last Closed: 2019-06-14 01:20:24 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Verified Steps (19.23 KB, text/plain)
2019-02-20 06:51 UTC, Sudhir Menon
no flags Details

Comment 1 Dinesh Prasanth 2019-01-24 19:33:38 UTC
This feature must be available since v10.6.8

Steps for verification:
=======================
1. Install CA, KRA
2. Renew ca-admin beyond system cert's expiration date
3. Import new admin cert into client NSS Db and also add it to the LDAP (NOTE: LDAP Accepts only valid certs. If the cert is not yet valid, an error is thrown)
4. Change the system date beyond system cert's expiration date
5. Run `pki-server cert-fix --cert <cert_id>  # To renew 1 cert 
   OR
   Run `pki-server cert-fix` # To renew ALL certs 
6. Check whether the PKI server is up

NOTE: `pki-server cert-find` should give you a list of all available <cert_ID>s available in the system

To import admin cert into client NSS DB and LDAP, you can refer the upstream docs:
https://www.dogtagpki.org/wiki/PKI_Client_CLI
https://www.dogtagpki.org/wiki/PKI_User_Certificate_CLI

Comment 7 Sudhir Menon 2019-02-20 06:45:30 UTC
Fix is seen. 

Verified using 
[root@pki test]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.0 Beta (Ootpa)

[root@pki test]# rpm -qa | grep pki
pki-base-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-base-java-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-servlet-container-9.0.7-13.module+el8+2468+c564cec5.noarch
python3-pki-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-symkey-10.6.9-2.module+el8+2728+a4ad6bba.x86_64
pki-tools-10.6.9-2.module+el8+2728+a4ad6bba.x86_64
pki-ca-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-servlet-4.0-api-9.0.7-13.module+el8+2468+c564cec5.noarch
pki-server-10.6.9-2.module+el8+2728+a4ad6bba.noarch

Comment 8 Sudhir Menon 2019-02-20 06:51:44 UTC
Created attachment 1536592 [details]
Verified Steps

Comment 9 Sudhir Menon 2019-02-20 06:53:08 UTC
Marking the bug as VERIFIED as per comment #7 and #8.

Comment 10 Dinesh Prasanth 2019-02-20 08:56:00 UTC
Corner cases identified:
========================

1. PKI server needs to operate on default secure port 8443 for the `cert-fix` tool to submit system certificates renewal request.

Sol: The port is hardcoded: https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/__init__.py#L378   We can modify the code to accept a port number via `-p <port>` option.

2. While running the `cert-fix` tool, we saw the following error.


````
[root@master test]# pki-server cert-fix -d . -c Secret123 -n caadmin2 --cert sslserver -i topology-02-CA
ERROR: HTTPSConnectionPool(host='master.rhel80.test', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))

````

This error was seen only when `Root CA signing` cert was imported into the client NSS db.

Comment 11 Dinesh Prasanth 2019-02-27 12:10:05 UTC
To track corner cases, a new BZ has been filed: https://bugzilla.redhat.com/show_bug.cgi?id=1679480

Comment 14 Matthew Harmsen 2019-06-10 23:47:11 UTC
*** Bug 1403016 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.