Bug 1690191 - [RFE] Offline Certificate Renewal System
Summary: [RFE] Offline Certificate Renewal System
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 7.7
Assignee: IPA Maintainers
QA Contact: ipa-qe
Marc Muehlfeld
URL:
Whiteboard:
Keywords: FutureFeature
Depends On: 1468348 1696849
Blocks: 1644708 1669257 1472344 1550132 1647919
TreeView+ depends on / blocked
 
Reported: 2019-03-19 00:57 UTC by Fraser Tweedale
Modified: 2019-05-23 13:42 UTC (History)
24 users (show)

(edit)
.IdM now supports renewing expired system certificates when the server is offline

With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new 'ipa-cert-fix' command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.
Clone Of: 1468348
(edit)
Last Closed:


Attachments (Terms of Use)

Description Fraser Tweedale 2019-03-19 00:57:45 UTC
+++ This bug was initially created as a clone of Bug #1468348 +++

Current scenario:

    When system certificate expires, we need to rollback date to a valid range   
    and start the renewal process.

Proposed Solution:

    An offline tool which creates temporary certificates to bring up the server
    and using which we can proceed with online renewal process.

Related wiki:

    * http://pki.fedoraproject.org/wiki/Offline_System_Certificate_Renewal

--- Additional comment from Red Hat Bugzilla Rules Engine on 2017-07-06 19:09:55 UTC ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Matthew Harmsen on 2017-08-04 00:18:50 UTC ---

Moving to 7.5 due to decision to delay CC until RHEL 7.5 / RHCS 9.3.

--- Additional comment from Matthew Harmsen on 2017-08-31 18:15:59 UTC ---



--- Additional comment from Matthew Harmsen on 2017-09-26 17:32:44 UTC ---



--- Additional comment from Matthew Harmsen on 2017-09-26 17:48:25 UTC ---

Ade needs to discuss this ticket with Dinesh to determine its priority for RHEL 7.5.

(1) mark https://pagure.io/dogtagpki/issue/2776 with appropriate priority;
(2) if blocker, set "blocker ?" ACK on RHEL bug
(3) add BLOCKER, CRITICAL, or MAJOR to Devel Whiteboard

--- Additional comment from Matthew Harmsen on 2017-10-25 16:33:04 UTC ---

[20171025] - RHEL 7.5 / RHCS 9.3 pre-Alpha Offline Triage ==> 7.6

--- Additional comment from PnT Account Manager on 2018-02-06 22:44:15 UTC ---

Employee 'dmoluguw@redhat.com' has left the company.

--- Additional comment from Chris Williams on 2018-05-01 22:10:20 UTC ---

This Bugzilla has been added to the Release Priority List for RHEL 7.6. It is not a guarantee it will make 7.6. Instead, Engineering, Product Management, QE and CEE have all agreed that this BZ should be addressed in 7.6 and every effort will be made to ensure this BZ makes the release. Please reach out to Chris Williams (cww@redhat.com) or senior members of your SBR if you have any questions.

--- Additional comment from Matthew Harmsen on 2018-05-05 00:18:43 UTC ---

Per RHEL 7.5.z/7.6/8.0 Triage:  7.6 (RPL Candidate)

--- Additional comment from Matthew Harmsen on 2018-06-18 15:54:48 UTC ---

This bug is being moved to RHEL 7.7 due to lack of development resources.

While mkosek, nkinder, ftweedal, cheimes, and mharmsen attempted numerous venues to try to come up with a workable solution in the RHEL 7.6 time frame, all of these efforts wound up being defeated by a simple lack of resources and a consensus decision that precedence should be given to RHEL 8 over RHEL 7.6 based upon existing resources.

On a final note, mkosek proposed the following:

But maybe, as mitigation, we could come up instead with improving the
renew procedure instead of building the tool? The goal is to make
Renewal process for Support and our customers easier, as noted in
https://projects.engineering.redhat.com/browse/FREEIPA-821
, so even documentation/process improvements count (if that is what
Dinesh could do).

As a consequence of this proposal, although I am re-assigning this particular bug to RHEL 7.7, I am also changing the assignee back to dmoluguw.

--- Additional comment from Dinesh Prasanth on 2018-11-14 15:31:57 UTC ---

This tool is now available in master (10.6). However, it is little hard to backport to 10.5.

After talking to @ftweedal, he has created a JIRA ticket [1] to track the requirement to backport this tool to RHEL7.x/10.5.

[1] https://projects.engineering.redhat.com/browse/FREEIPA-2124

--- Additional comment from Fraser Tweedale on 2019-03-18 04:55:40 UTC ---

How to test: https://github.com/dogtagpki/pki/pull/183#issue-261388269

Comment 6 Dinesh Prasanth 2019-05-13 15:15:50 UTC
Hi Marc,

Please see the updated doc field. I'm adding Fraser to review since he wrote the `ipa-cert-fix` wrapper.

.IdM now supports renewing expired system certificates when the server is offline

With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new `ipa-cert-fix`, which is an IdM specific wrapper against `pki-server cert-fix`, command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.

Comment 8 Mohammad Rizwan 2019-05-15 07:24:01 UTC
Identified tier1 test passed. Based on observation in comment#7, marking the bug verified.


Note You need to log in before you can comment on or make changes to this bug.