Bug 1780317 - ipa-cert-fix: False Positive Status for cert renewal.
Summary: ipa-cert-fix: False Positive Status for cert renewal.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.1
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: rc
: 8.0
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-05 16:52 UTC by Deepak Das
Modified: 2021-11-23 08:56 UTC (History)
8 users (show)

Fixed In Version: idm-client-8050020210701113027.de73ecb2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-09 18:21:19 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7167 0 None None None 2021-10-25 18:12:25 UTC
Red Hat Product Errata RHBA-2021:4230 0 None None None 2021-11-09 18:21:38 UTC

Description Deepak Das 2019-12-05 16:52:26 UTC 
Description of problem:

[root@master ~]# getcert list|grep -e expire -e certificate:
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	expires: 2021-11-24 10:20:04 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2039-12-05 10:19:25 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2021-12-05 10:20:58 EST
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	expires: 2021-12-05 10:21:24 EST
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	expires: 2021-12-05 10:21:38 EST


[root@master ~]# hwclock --set --date="2025-08-14 16:45:05"
[root@master ~]# hwclock --hctosys; date
Thu Aug 14 16:45:10 EDT 2025


[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
zRestarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful


[root@master ~]# date
Thu Aug 14 16:47:48 EDT 2025


[root@master ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@master ~]# ipa-cert-fix 

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of FreeIPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed: 

Dogtag sslserver certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  3
  Expires: 2021-11-24 15:19:26

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=TESTREALM.TEST
  Serial:  4
  Expires: 2021-11-24 15:19:26

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=TESTREALM.TEST
  Serial:  2
  Expires: 2021-11-24 15:19:26

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=TESTREALM.TEST
  Serial:  5
  Expires: 2021-11-24 15:19:26

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=TESTREALM.TEST
  Serial:  7
  Expires: 2021-11-24 15:20:04

IPA Apache HTTPS certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  9
  Expires: 2021-12-05 15:21:24

IPA LDAP certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  8
  Expires: 2021-12-05 15:20:58

IPA KDC certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  10
  Expires: 2021-12-05 15:21:38

Enter "yes" to proceed: yes
Proceeding.
Renewed Dogtag sslserver certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  15
  Expires: 2027-08-04 20:49:57

Renewed Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=TESTREALM.TEST
  Serial:  16
  Expires: 2027-08-04 20:49:58

Renewed Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=TESTREALM.TEST
  Serial:  17
  Expires: 2027-08-04 20:49:59

Renewed Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=TESTREALM.TEST
  Serial:  18
  Expires: 2027-08-04 20:49:59

Renewed IPA IPA RA certificate:
  Subject: CN=IPA RA,O=TESTREALM.TEST
  Serial:  19
  Expires: 2027-08-04 20:49:59

Renewed IPA Apache HTTPS certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  20
  Expires: 2027-08-15 20:50:00

Renewed IPA LDAP certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  21
  Expires: 2027-08-15 20:50:00

Renewed IPA KDC certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  22
  Expires: 2027-08-15 20:50:01

Becoming renewal master.
The ipa-cert-fix command was successful


[root@master ~]# getcert list|grep -e expire -e certificate:
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	expires: 2021-11-24 10:20:04 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2039-12-05 10:19:25 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-11-24 10:19:26 EST
	ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2021-12-05 10:20:58 EST
	ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	expires: 2021-12-05 10:21:24 EST
	ca-error: Server at https://master.testrealm.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.testrealm.test/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  SSL certificate problem: certificate has expired).
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	expires: 2021-12-05 10:21:38 EST



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Deepak Das 2019-12-05 17:09:04 UTC 
Based on further check it seems that even after ipa-cert-fix give success message,  it still takes another few minutes for the status of the certificate in the server in "getcert list" to be updated hence causing confusion. 

[root@master ~]# date
Thu Aug 14 17:01:22 EDT 2025

[root@master ~]# getcert list|grep -e expire -e certificate:
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	expires: 2027-08-04 16:54:38 EDT
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2027-08-04 16:53:36 EDT
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2027-08-04 16:53:57 EDT
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2027-08-04 16:54:07 EDT
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2039-12-05 10:19:25 EST
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	expires: 2027-08-04 16:54:00 EDT
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2027-08-15 16:53:41 EDT
	certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
	expires: 2027-08-15 16:53:51 EDT
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	expires: 2027-08-15 16:53:32 EDT
Comment 2 Fraser Tweedale 2020-02-13 10:26:10 UTC 
Indeed, Certmonger does not notice the updated certificates straight away.
So, rather than ipa-cert-fix output being a false positive, it is getcert
output that is a false negative.

I will leave this open.  We should probably at least make a note of this
in the man page or something so let's consider this a doc bug :)
Comment 4 Rob Crittenden 2021-02-09 19:05:28 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8702
Comment 7 Florence Blanc-Renaud 2021-06-10 19:01:18 UTC 
Fixed upstream
master:

    5509e00 ipa-cert-fix man page: add note about certmonger renewal
Comment 8 Florence Blanc-Renaud 2021-06-12 10:35:29 UTC 
ipa-4-9:

    06a445a ipa-cert-fix man page: add note about certmonger renewal
Comment 14 Mohammad Rizwan 2021-07-12 13:07:02 UTC 
version:
ipa-server-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64
ipa-server-dns-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch

[root@master cloud-user]# ipa-cert-fix -v
[..]
ipapython.ipautil: DEBUG: stdout=Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service

ipapython.ipautil: DEBUG: stderr=ipa: INFO: The ipactl command was successful


Note: Monitor the certmonger-initiated renewal of
certificates after ipa-cert-fix and wait for its completion before
any other administrative task.

ipapython.admintool: INFO: The ipa-cert-fix command was successful


[root@master cloud-user]# man ipa-cert-fix
[..]
Important note: the certmonger daemon does not immediately notice the updated certificates and may trigger a renewal
       after ipa-cert-fix completes. As a consequence, getcert list output may display that a renewal is in  progress  even
       if  ipa-cert-fix  just finished. It is recommended to monitor the certmonger-initiated renewal and wait for its com‐
       pletion before any other administrative task.
[..]


Note about waiting for certmonger is displayed in command output as well as man page. Hence marking the bug as verified.
Comment 16 errata-xmlrpc 2021-11-09 18:21:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230
Note You need to log in before you can comment on or make changes to this bug.