1690191 – [RFE] Offline Certificate Renewal System

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1690191 - [RFE] Offline Certificate Renewal System

Summary: [RFE] Offline Certificate Renewal System

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	7.7
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:	1468348 1696849
Blocks:	1472344 1550132 1644708 1647919 1669257
TreeView+	depends on / blocked

Reported:	2019-03-19 00:57 UTC by Fraser Tweedale
Modified:	2023-09-18 00:15 UTC (History)
CC List:	26 users (show)
Fixed In Version:	ipa-4.6.5-2.el7
Doc Type:	Enhancement
Doc Text:	.IdM now supports renewing expired system certificates when the server is offline With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new `ipa-cert-fix` command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.
Clone Of:	1468348
Environment:
Last Closed:	2019-08-06 13:09:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-8920	0	None	None	None	2022-10-10 13:01:03 UTC
Red Hat Product Errata	RHBA-2019:2241	0	None	None	None	2019-08-06 13:09:54 UTC

Description Fraser Tweedale 2019-03-19 00:57:45 UTC

+++ This bug was initially created as a clone of Bug #1468348 +++

Current scenario:

    When system certificate expires, we need to rollback date to a valid range   
    and start the renewal process.

Proposed Solution:

    An offline tool which creates temporary certificates to bring up the server
    and using which we can proceed with online renewal process.

Related wiki:

    * http://pki.fedoraproject.org/wiki/Offline_System_Certificate_Renewal

--- Additional comment from Red Hat Bugzilla Rules Engine on 2017-07-06 19:09:55 UTC ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Matthew Harmsen on 2017-08-04 00:18:50 UTC ---

Moving to 7.5 due to decision to delay CC until RHEL 7.5 / RHCS 9.3.

--- Additional comment from Matthew Harmsen on 2017-08-31 18:15:59 UTC ---



--- Additional comment from Matthew Harmsen on 2017-09-26 17:32:44 UTC ---



--- Additional comment from Matthew Harmsen on 2017-09-26 17:48:25 UTC ---

Ade needs to discuss this ticket with Dinesh to determine its priority for RHEL 7.5.

(1) mark https://pagure.io/dogtagpki/issue/2776 with appropriate priority;
(2) if blocker, set "blocker ?" ACK on RHEL bug
(3) add BLOCKER, CRITICAL, or MAJOR to Devel Whiteboard

--- Additional comment from Matthew Harmsen on 2017-10-25 16:33:04 UTC ---

[20171025] - RHEL 7.5 / RHCS 9.3 pre-Alpha Offline Triage ==> 7.6

--- Additional comment from PnT Account Manager on 2018-02-06 22:44:15 UTC ---

Employee 'dmoluguw' has left the company.

--- Additional comment from Chris Williams on 2018-05-01 22:10:20 UTC ---

This Bugzilla has been added to the Release Priority List for RHEL 7.6. It is not a guarantee it will make 7.6. Instead, Engineering, Product Management, QE and CEE have all agreed that this BZ should be addressed in 7.6 and every effort will be made to ensure this BZ makes the release. Please reach out to Chris Williams (cww) or senior members of your SBR if you have any questions.

--- Additional comment from Matthew Harmsen on 2018-05-05 00:18:43 UTC ---

Per RHEL 7.5.z/7.6/8.0 Triage:  7.6 (RPL Candidate)

--- Additional comment from Matthew Harmsen on 2018-06-18 15:54:48 UTC ---

This bug is being moved to RHEL 7.7 due to lack of development resources.

While mkosek, nkinder, ftweedal, cheimes, and mharmsen attempted numerous venues to try to come up with a workable solution in the RHEL 7.6 time frame, all of these efforts wound up being defeated by a simple lack of resources and a consensus decision that precedence should be given to RHEL 8 over RHEL 7.6 based upon existing resources.

On a final note, mkosek proposed the following:

But maybe, as mitigation, we could come up instead with improving the
renew procedure instead of building the tool? The goal is to make
Renewal process for Support and our customers easier, as noted in
https://projects.engineering.redhat.com/browse/FREEIPA-821
, so even documentation/process improvements count (if that is what
Dinesh could do).

As a consequence of this proposal, although I am re-assigning this particular bug to RHEL 7.7, I am also changing the assignee back to dmoluguw.

--- Additional comment from Dinesh Prasanth on 2018-11-14 15:31:57 UTC ---

This tool is now available in master (10.6). However, it is little hard to backport to 10.5.

After talking to @ftweedal, he has created a JIRA ticket [1] to track the requirement to backport this tool to RHEL7.x/10.5.

[1] https://projects.engineering.redhat.com/browse/FREEIPA-2124

--- Additional comment from Fraser Tweedale on 2019-03-18 04:55:40 UTC ---

How to test: https://github.com/dogtagpki/pki/pull/183#issue-261388269

Comment 3 Florence Blanc-Renaud 2019-03-29 17:12:16 UTC

Fixed upstream:
ipa-4-6:
https://pagure.io/freeipa/c/0a54a4c83f4e613ef5a7e52b697d849cf3676d22
https://pagure.io/freeipa/c/4f42ba8625436806120c6dbb6345f7327b06cd0a
https://pagure.io/freeipa/c/01a487ede34c351f0916e480ba7cbc96ba6b4f7c
https://pagure.io/freeipa/c/a2f9a704e8145b9d0c0b14a3005efd4a44a64532
https://pagure.io/freeipa/c/d0b9507e677042d5acba036e6d872fbcf247b28a
https://pagure.io/freeipa/c/e3131495f07ce633fda86486056300138ff8fc80

Comment 6 Dinesh Prasanth 2019-05-13 15:15:50 UTC

Hi Marc,

Please see the updated doc field. I'm adding Fraser to review since he wrote the `ipa-cert-fix` wrapper.

.IdM now supports renewing expired system certificates when the server is offline

With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new `ipa-cert-fix`, which is an IdM specific wrapper against `pki-server cert-fix`, command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.

Comment 8 Mohammad Rizwan 2019-05-15 07:24:01 UTC

Identified tier1 test passed. Based on observation in comment#7, marking the bug verified.

Comment 14 errata-xmlrpc 2019-08-06 13:09:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241

Comment 18 Red Hat Bugzilla 2023-09-18 00:15:40 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.

aakkiang
afarley
alee
arubin
cfu
cheimes
cpelland
dmoluguw
edewata
fcami
frenaud
ftweedal
ipa-maint
jmagne
mharmsen
mrhodes
myusuf
ndehadra
nkinder
pasik
phybl
pvoborni
rcritten
tmihinto
tscherf
wburrows