+++ This bug was initially created as a clone of Bug #1468348 +++
When system certificate expires, we need to rollback date to a valid range
and start the renewal process.
An offline tool which creates temporary certificates to bring up the server
and using which we can proceed with online renewal process.
--- Additional comment from Red Hat Bugzilla Rules Engine on 2017-07-06 19:09:55 UTC ---
Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
--- Additional comment from Matthew Harmsen on 2017-08-04 00:18:50 UTC ---
Moving to 7.5 due to decision to delay CC until RHEL 7.5 / RHCS 9.3.
--- Additional comment from Matthew Harmsen on 2017-08-31 18:15:59 UTC ---
--- Additional comment from Matthew Harmsen on 2017-09-26 17:32:44 UTC ---
--- Additional comment from Matthew Harmsen on 2017-09-26 17:48:25 UTC ---
Ade needs to discuss this ticket with Dinesh to determine its priority for RHEL 7.5.
(1) mark https://pagure.io/dogtagpki/issue/2776 with appropriate priority;
(2) if blocker, set "blocker ?" ACK on RHEL bug
(3) add BLOCKER, CRITICAL, or MAJOR to Devel Whiteboard
--- Additional comment from Matthew Harmsen on 2017-10-25 16:33:04 UTC ---
 - RHEL 7.5 / RHCS 9.3 pre-Alpha Offline Triage ==> 7.6
--- Additional comment from PnT Account Manager on 2018-02-06 22:44:15 UTC ---
Employee 'firstname.lastname@example.org' has left the company.
--- Additional comment from Chris Williams on 2018-05-01 22:10:20 UTC ---
This Bugzilla has been added to the Release Priority List for RHEL 7.6. It is not a guarantee it will make 7.6. Instead, Engineering, Product Management, QE and CEE have all agreed that this BZ should be addressed in 7.6 and every effort will be made to ensure this BZ makes the release. Please reach out to Chris Williams (email@example.com) or senior members of your SBR if you have any questions.
--- Additional comment from Matthew Harmsen on 2018-05-05 00:18:43 UTC ---
Per RHEL 7.5.z/7.6/8.0 Triage: 7.6 (RPL Candidate)
--- Additional comment from Matthew Harmsen on 2018-06-18 15:54:48 UTC ---
This bug is being moved to RHEL 7.7 due to lack of development resources.
While mkosek, nkinder, ftweedal, cheimes, and mharmsen attempted numerous venues to try to come up with a workable solution in the RHEL 7.6 time frame, all of these efforts wound up being defeated by a simple lack of resources and a consensus decision that precedence should be given to RHEL 8 over RHEL 7.6 based upon existing resources.
On a final note, mkosek proposed the following:
But maybe, as mitigation, we could come up instead with improving the
renew procedure instead of building the tool? The goal is to make
Renewal process for Support and our customers easier, as noted in
, so even documentation/process improvements count (if that is what
Dinesh could do).
As a consequence of this proposal, although I am re-assigning this particular bug to RHEL 7.7, I am also changing the assignee back to dmoluguw.
--- Additional comment from Dinesh Prasanth on 2018-11-14 15:31:57 UTC ---
This tool is now available in master (10.6). However, it is little hard to backport to 10.5.
After talking to @ftweedal, he has created a JIRA ticket  to track the requirement to backport this tool to RHEL7.x/10.5.
--- Additional comment from Fraser Tweedale on 2019-03-18 04:55:40 UTC ---
How to test: https://github.com/dogtagpki/pki/pull/183#issue-261388269
Please see the updated doc field. I'm adding Fraser to review since he wrote the `ipa-cert-fix` wrapper.
.IdM now supports renewing expired system certificates when the server is offline
With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new `ipa-cert-fix`, which is an IdM specific wrapper against `pki-server cert-fix`, command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.
Identified tier1 test passed. Based on observation in comment#7, marking the bug verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.