+++ This bug was initially created as a clone of Bug #1769282 +++ +++ This bug was initially created as a clone of Bug #1759281 +++ Description of problem: When getcert is invoked with the -F option, it is supposed to store the CA cert in a file. When invoked with the -w option, it will wait until the cert is issued. But it will occasionally also return before the CA cert file is written. This causes issues when trying to invoke certmonger from puppet-certmonger for instance, because subsequent calls that rely on the existence of that file (to change its permissions for instance) will fail. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: --- Additional comment from Rob Crittenden on 2019-10-25 13:55:54 UTC --- We narrowed this down to the following: 1. certmonger is started prior to ipa-client-install. 2. IPA is unconfigured so it doesn't know where to fetch the chain from. The CA goes into a pending status to try again. 3. The machine is enrolled as an IPA client and certificate(s) retrieved using -F. Since the IPA CA still hasn't been set there is no CA file to write yet. 4. After a few hours certmonger wakes up the IPA CA again, it sees it is configured and retrieves the CA which results in writing the files pointed to by -F. The fix is to restart certmonger after ipa-client-install. Right now it is only started if ipa-client-install runs with --request-cert. It should do a conditional restart on certmonger in all cases. --- Additional comment from Rob Crittenden on 2019-10-25 14:00:37 UTC --- Upstream ticket: https://pagure.io/freeipa/issue/8105
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0760