Bug 2058441 - Default tripleo certmonger setting do not rotate certificate on renewal
Summary: Default tripleo certmonger setting do not rotate certificate on renewal
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: ansible-tripleo-ipa
Version: 16.2 (Train)
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Grzegorz Grasza
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks: 2071582 2071584
TreeView+ depends on / blocked
 
Reported: 2022-02-25 00:50 UTC by David Sedgmen
Modified: 2022-04-04 09:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-04 09:45:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 633246 0 None MERGED TLS everywhere: Set post-save command for nova-vnc-proxy 2022-03-08 11:05:42 UTC
Red Hat Issue Tracker OSP-13187 0 None None None 2022-02-25 01:04:27 UTC

Description David Sedgmen 2022-02-25 00:50:22 UTC 
Description of problem: Certmonger renews certificate, but the post save commands are missing or will not work because the service is containerised. 

This can cause services to stop functioning because the certificate load in memory has expired. 


Controller: 

~~~
Request ID 'mysql':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/mysql.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/mysql.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:22 UTC
	dns: overcloud.internalapi.redhat.local,controller-0.internalapi.redhat.local
	principal name: mysql/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes


Request ID 'novnc-proxy':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/novnc_proxy.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/novnc_proxy.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:26 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: novnc-proxy/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Request ID 'ovn_dbs':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_dbs.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_dbs.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:27 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: ovn_dbs/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Request ID 'ovn_controller':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_controller.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_controller.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:28 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: ovn_controller/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Request ID 'neutron_ovn':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_neutron_client.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_neutron_client.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:29 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: neutron_ovn/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Request ID 'libvirt-vnc-client-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/client-key.pem'
	certificate: type=FILE,location='/etc/pki/libvirt-vnc/client-cert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:39 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: libvirt-vnc/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes
~~~

Compute: 

~~~
Request ID 'ovn_controller':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_controller.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_controller.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 23:55:10 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: ovn_controller/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
Request ID 'ovn_metadata':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_metadata.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_metadata.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-26 00:12:20 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: ovn_metadata/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
Request ID 'libvirt-client-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt/private/clientkey.pem'
	certificate: type=FILE,location='/etc/pki/libvirt/clientcert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:11:28 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: libvirt/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes
Request ID 'libvirt-server-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt/private/serverkey.pem'
	certificate: type=FILE,location='/etc/pki/libvirt/servercert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:11:30 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: libvirt/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes
Request ID 'libvirt-vnc-server-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/server-key.pem'
	certificate: type=FILE,location='/etc/pki/libvirt-vnc/server-cert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:11:31 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: libvirt-vnc/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes
Request ID 'qemu-nbd-client-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt-nbd/client-key.pem'
	certificate: type=FILE,location='/etc/pki/libvirt-nbd/client-cert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:11:33 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: qemu/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
Request ID 'qemu-server-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/qemu/server-key.pem'
	certificate: type=FILE,location='/etc/pki/qemu/server-cert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:11:35 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: qemu/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
~~~
Comment 3 David Sedgmen 2022-02-25 01:36:33 UTC 
[root@controller-0 ~]# getcert list -i mysql
Number of certificates and requests being tracked: 18.
Request ID 'mysql':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/mysql.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/mysql.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:22 UTC
	dns: overcloud.internalapi.redhat.local,controller-0.internalapi.redhat.local
	principal name: mysql/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
[root@controller-0 ~]# cat /etc/pki/tls/certs/mysql.crt
-----BEGIN CERTIFICATE-----
MIIFozCCBAugAwIBAgIBIzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI
QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjAy
MjQwMzEyMjJaFw0yNDAyMjUwMzEyMjJaMEcxFTATBgNVBAoMDFJFREhBVC5MT0NB
TDEuMCwGA1UEAwwlY29udHJvbGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2Nh
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN9QAw0OLmPhul1Ov7ne
e0Kzc0tVplfptfgHG45m0OnvihpMlDKBH68PODHl37lt45ufBmZZFJwvXRf4D89p
T4MVVXXiaeqT9xISnU+Znc/wai9TSfMnjF5MjW4a9s5RCdORyW0ZoGP3Bi6+6SnI
GEq8RVWR2Mlw5w1OJvencWv0xQtiBNcbr6QjlDH3TFgPUFoDno2WZdPWHkOPALuf
oyNMvID1N1UOo0bJdL43g+uegRctIvk0quxbrMRTGGAaF5tKuNYS0L6s4YzjtYkY
qeNk9xbYa7xkFZvCyrLyDihPFmTjmY0tfSHEigsx8w3p2FiK0QtgLqEEPcUqh0N4
w8kCAwEAAaOCAigwggIkMB8GA1UdIwQYMBaAFPYwUIytytHNEJ1Dbp84SWSpD3cP
MD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5yZWRo
YXQubG9jYWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wbKA0oDKGMGh0dHA6Ly9pcGEtY2Eu
cmVkaGF0LmxvY2FsL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UE
CgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4E
FgQUa6G8o5qnJEtkGCkwB2zVI5jtr9gwgfkGA1UdEQSB8TCB7oIib3ZlcmNsb3Vk
LmludGVybmFsYXBpLnJlZGhhdC5sb2NhbIIlY29udHJvbGxlci0wLmludGVybmFs
YXBpLnJlZGhhdC5sb2NhbKBIBgorBgEEAYI3FAIDoDoMOG15c3FsL2NvbnRyb2xs
ZXItMC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWxAUkVESEFULkxPQ0FMoFcGBisG
AQUCAqBNMEugDhsMUkVESEFULkxPQ0FMoTkwN6ADAgEBoTAwLhsFbXlzcWwbJWNv
bnRyb2xsZXItMC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWwwDQYJKoZIhvcNAQEL
BQADggGBAEyLkwYqGe/IVLrG0t9KofYqU1VdjAd8yNrCsoti+I8UKvGdpl2KZrSP
I4UxykYF7SpXAgYUOptAj5P+ry/G31RM+3OSLuy/rKbiigvlqTXkU2e1j5eIZB6Y
mfRZ9gpZ+HCN3EKJUFee2M/u/cMgYSkIH+8BvAa+iIHDjGU2tYfbUPuTxQKOXMY7
esjpXEL3V/jvMB74nQOG2Upd9pIcuQsYdyT7QzNQ7fO6/PLqmZ4BzLl4gIizQcYx
yIeUGx6J4XweinnBU5wA2Uz7M10V9nZE+dsGyt7Svh3+QJ2Eu/30A0yb4msR4utv
/l4frO+GNtqsaUWUFnh7CXHTIHREDKsWuYHvIXPagGsPrLi7W3mDa8eEuevNYCeS
4FBMXGR3nqDExm+gzjoBWx8pSYTDE2fswSP3gptWUrpBkJVfyrNi5NQGHbc36AMU
XvwDEINbgu9z99yg5jmNzNSK2ncTW8KKM1ZrFiiyEWHSVVSlQXuD8EsUM2AsL+H/
7cS6uiiq3Q==
-----END CERTIFICATE-----
[root@controller-0 ~]# openssl s_client -connect 172.17.1.137:4567 
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 O = REDHAT.LOCAL, CN = Certificate Authority
verify return:1
depth=0 O = REDHAT.LOCAL, CN = controller-0.internalapi.redhat.local
verify return:1
---
Certificate chain
 0 s:O = REDHAT.LOCAL, CN = controller-0.internalapi.redhat.local
   i:O = REDHAT.LOCAL, CN = Certificate Authority
 1 s:O = REDHAT.LOCAL, CN = Certificate Authority
   i:O = REDHAT.LOCAL, CN = Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFozCCBAugAwIBAgIBIzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI
QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjAy
MjQwMzEyMjJaFw0yNDAyMjUwMzEyMjJaMEcxFTATBgNVBAoMDFJFREhBVC5MT0NB
TDEuMCwGA1UEAwwlY29udHJvbGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2Nh
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN9QAw0OLmPhul1Ov7ne
e0Kzc0tVplfptfgHG45m0OnvihpMlDKBH68PODHl37lt45ufBmZZFJwvXRf4D89p
T4MVVXXiaeqT9xISnU+Znc/wai9TSfMnjF5MjW4a9s5RCdORyW0ZoGP3Bi6+6SnI
GEq8RVWR2Mlw5w1OJvencWv0xQtiBNcbr6QjlDH3TFgPUFoDno2WZdPWHkOPALuf
oyNMvID1N1UOo0bJdL43g+uegRctIvk0quxbrMRTGGAaF5tKuNYS0L6s4YzjtYkY
qeNk9xbYa7xkFZvCyrLyDihPFmTjmY0tfSHEigsx8w3p2FiK0QtgLqEEPcUqh0N4
w8kCAwEAAaOCAigwggIkMB8GA1UdIwQYMBaAFPYwUIytytHNEJ1Dbp84SWSpD3cP
MD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5yZWRo
YXQubG9jYWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wbKA0oDKGMGh0dHA6Ly9pcGEtY2Eu
cmVkaGF0LmxvY2FsL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UE
CgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4E
FgQUa6G8o5qnJEtkGCkwB2zVI5jtr9gwgfkGA1UdEQSB8TCB7oIib3ZlcmNsb3Vk
LmludGVybmFsYXBpLnJlZGhhdC5sb2NhbIIlY29udHJvbGxlci0wLmludGVybmFs
YXBpLnJlZGhhdC5sb2NhbKBIBgorBgEEAYI3FAIDoDoMOG15c3FsL2NvbnRyb2xs
ZXItMC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWxAUkVESEFULkxPQ0FMoFcGBisG
AQUCAqBNMEugDhsMUkVESEFULkxPQ0FMoTkwN6ADAgEBoTAwLhsFbXlzcWwbJWNv
bnRyb2xsZXItMC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWwwDQYJKoZIhvcNAQEL
BQADggGBAEyLkwYqGe/IVLrG0t9KofYqU1VdjAd8yNrCsoti+I8UKvGdpl2KZrSP
I4UxykYF7SpXAgYUOptAj5P+ry/G31RM+3OSLuy/rKbiigvlqTXkU2e1j5eIZB6Y
mfRZ9gpZ+HCN3EKJUFee2M/u/cMgYSkIH+8BvAa+iIHDjGU2tYfbUPuTxQKOXMY7
esjpXEL3V/jvMB74nQOG2Upd9pIcuQsYdyT7QzNQ7fO6/PLqmZ4BzLl4gIizQcYx
yIeUGx6J4XweinnBU5wA2Uz7M10V9nZE+dsGyt7Svh3+QJ2Eu/30A0yb4msR4utv
/l4frO+GNtqsaUWUFnh7CXHTIHREDKsWuYHvIXPagGsPrLi7W3mDa8eEuevNYCeS
4FBMXGR3nqDExm+gzjoBWx8pSYTDE2fswSP3gptWUrpBkJVfyrNi5NQGHbc36AMU
XvwDEINbgu9z99yg5jmNzNSK2ncTW8KKM1ZrFiiyEWHSVVSlQXuD8EsUM2AsL+H/
7cS6uiiq3Q==
-----END CERTIFICATE-----
subject=O = REDHAT.LOCAL, CN = controller-0.internalapi.redhat.local

issuer=O = REDHAT.LOCAL, CN = Certificate Authority

---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3249 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read:errno=0
[root@controller-0 ~]# getcert resubmit -i mysql
Resubmitting "mysql" to "IPA".
[root@controller-0 ~]# openssl s_client -connect 172.17.1.137:4567 
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 O = REDHAT.LOCAL, CN = Certificate Authority
verify return:1
depth=0 O = REDHAT.LOCAL, CN = controller-0.internalapi.redhat.local
verify return:1
---
Certificate chain
 0 s:O = REDHAT.LOCAL, CN = controller-0.internalapi.redhat.local
   i:O = REDHAT.LOCAL, CN = Certificate Authority
 1 s:O = REDHAT.LOCAL, CN = Certificate Authority
   i:O = REDHAT.LOCAL, CN = Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFozCCBAugAwIBAgIBIzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI
QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjAy
MjQwMzEyMjJaFw0yNDAyMjUwMzEyMjJaMEcxFTATBgNVBAoMDFJFREhBVC5MT0NB
TDEuMCwGA1UEAwwlY29udHJvbGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2Nh
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN9QAw0OLmPhul1Ov7ne
e0Kzc0tVplfptfgHG45m0OnvihpMlDKBH68PODHl37lt45ufBmZZFJwvXRf4D89p
T4MVVXXiaeqT9xISnU+Znc/wai9TSfMnjF5MjW4a9s5RCdORyW0ZoGP3Bi6+6SnI
GEq8RVWR2Mlw5w1OJvencWv0xQtiBNcbr6QjlDH3TFgPUFoDno2WZdPWHkOPALuf
oyNMvID1N1UOo0bJdL43g+uegRctIvk0quxbrMRTGGAaF5tKuNYS0L6s4YzjtYkY
qeNk9xbYa7xkFZvCyrLyDihPFmTjmY0tfSHEigsx8w3p2FiK0QtgLqEEPcUqh0N4
w8kCAwEAAaOCAigwggIkMB8GA1UdIwQYMBaAFPYwUIytytHNEJ1Dbp84SWSpD3cP
MD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5yZWRo
YXQubG9jYWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wbKA0oDKGMGh0dHA6Ly9pcGEtY2Eu
cmVkaGF0LmxvY2FsL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UE
CgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4E
FgQUa6G8o5qnJEtkGCkwB2zVI5jtr9gwgfkGA1UdEQSB8TCB7oIib3ZlcmNsb3Vk
LmludGVybmFsYXBpLnJlZGhhdC5sb2NhbIIlY29udHJvbGxlci0wLmludGVybmFs
YXBpLnJlZGhhdC5sb2NhbKBIBgorBgEEAYI3FAIDoDoMOG15c3FsL2NvbnRyb2xs
ZXItMC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWxAUkVESEFULkxPQ0FMoFcGBisG
AQUCAqBNMEugDhsMUkVESEFULkxPQ0FMoTkwN6ADAgEBoTAwLhsFbXlzcWwbJWNv
bnRyb2xsZXItMC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWwwDQYJKoZIhvcNAQEL
BQADggGBAEyLkwYqGe/IVLrG0t9KofYqU1VdjAd8yNrCsoti+I8UKvGdpl2KZrSP
I4UxykYF7SpXAgYUOptAj5P+ry/G31RM+3OSLuy/rKbiigvlqTXkU2e1j5eIZB6Y
mfRZ9gpZ+HCN3EKJUFee2M/u/cMgYSkIH+8BvAa+iIHDjGU2tYfbUPuTxQKOXMY7
esjpXEL3V/jvMB74nQOG2Upd9pIcuQsYdyT7QzNQ7fO6/PLqmZ4BzLl4gIizQcYx
yIeUGx6J4XweinnBU5wA2Uz7M10V9nZE+dsGyt7Svh3+QJ2Eu/30A0yb4msR4utv
/l4frO+GNtqsaUWUFnh7CXHTIHREDKsWuYHvIXPagGsPrLi7W3mDa8eEuevNYCeS
4FBMXGR3nqDExm+gzjoBWx8pSYTDE2fswSP3gptWUrpBkJVfyrNi5NQGHbc36AMU
XvwDEINbgu9z99yg5jmNzNSK2ncTW8KKM1ZrFiiyEWHSVVSlQXuD8EsUM2AsL+H/
7cS6uiiq3Q==
-----END CERTIFICATE-----
subject=O = REDHAT.LOCAL, CN = controller-0.internalapi.redhat.local

issuer=O = REDHAT.LOCAL, CN = Certificate Authority

---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3249 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read:errno=0
[root@controller-0 ~]# cat /etc/pki/tls/certs/mysql.crt
-----BEGIN CERTIFICATE-----
MIIFozCCBAugAwIBAgIBeTANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxSRURI
QVQuTE9DQUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjAy
MjUwMTM1MzJaFw0yNDAyMjYwMTM1MzJaMEcxFTATBgNVBAoMDFJFREhBVC5MT0NB
TDEuMCwGA1UEAwwlY29udHJvbGxlci0wLmludGVybmFsYXBpLnJlZGhhdC5sb2Nh
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN9QAw0OLmPhul1Ov7ne
e0Kzc0tVplfptfgHG45m0OnvihpMlDKBH68PODHl37lt45ufBmZZFJwvXRf4D89p
T4MVVXXiaeqT9xISnU+Znc/wai9TSfMnjF5MjW4a9s5RCdORyW0ZoGP3Bi6+6SnI
GEq8RVWR2Mlw5w1OJvencWv0xQtiBNcbr6QjlDH3TFgPUFoDno2WZdPWHkOPALuf
oyNMvID1N1UOo0bJdL43g+uegRctIvk0quxbrMRTGGAaF5tKuNYS0L6s4YzjtYkY
qeNk9xbYa7xkFZvCyrLyDihPFmTjmY0tfSHEigsx8w3p2FiK0QtgLqEEPcUqh0N4
w8kCAwEAAaOCAigwggIkMB8GA1UdIwQYMBaAFPYwUIytytHNEJ1Dbp84SWSpD3cP
MD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5yZWRo
YXQubG9jYWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMHcGA1UdHwRwMG4wbKA0oDKGMGh0dHA6Ly9pcGEtY2Eu
cmVkaGF0LmxvY2FsL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UE
CgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4E
FgQUa6G8o5qnJEtkGCkwB2zVI5jtr9gwgfkGA1UdEQSB8TCB7oIib3ZlcmNsb3Vk
LmludGVybmFsYXBpLnJlZGhhdC5sb2NhbIIlY29udHJvbGxlci0wLmludGVybmFs
YXBpLnJlZGhhdC5sb2NhbKBIBgorBgEEAYI3FAIDoDoMOG15c3FsL2NvbnRyb2xs
ZXItMC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWxAUkVESEFULkxPQ0FMoFcGBisG
AQUCAqBNMEugDhsMUkVESEFULkxPQ0FMoTkwN6ADAgEBoTAwLhsFbXlzcWwbJWNv
bnRyb2xsZXItMC5pbnRlcm5hbGFwaS5yZWRoYXQubG9jYWwwDQYJKoZIhvcNAQEL
BQADggGBAKfILnfrlt+tQrSvaqwsSobc1bRFfeo6l/m/HDteztSfNwAGoZoTf4Qc
su8pkApg1dxeyULnfVzzZ3wgOzJAgrHQN3YbkGOmGP71lQQj28fRUCjQXtVNTyt+
ys3a2jwZfjyIpHdACm1Uoc/dTKJwhW58JLHEqudq8oWMX9MWUB9fm1ofbhrSyvIC
yRpR3uLPDIiVPEnZf0A+ARh5491b+J+Dc455LBuKYVmV3SHdXFozmzrc85DAry34
WLfCiJZzfqgBqI3K1e9QumvEZwCmrQQ8Lb67VEheKnB2e3VUxP2qxU3a6zYl+3oy
Ee1B8i2BdYjiv/mj344/GjhgTev5Z8fL2ZQgDih6aKR1OyP7qlDkf2C2jv7s2NyL
+2jIKv6pBOmTVQTe1ayUgAXqdtRcTrrpie2pHfoql7zsbxbtvyMStfGvk2MJvvVQ
l1D0xW2c2PrjYyMegYAfR8sOfik2n6mwcnhy/m2jibhNp0nBDOhr7SwSVlHRxuNs
qtZ+iDnEaA==
-----END CERTIFICATE-----
Comment 4 Grzegorz Grasza 2022-03-08 11:05:42 UTC 
The state of
Comment 9 Grzegorz Grasza 2022-04-04 09:45:49 UTC 
I'm closing this now, since two RFE bugs were created for mysql, ovn and libvirt.
Note You need to log in before you can comment on or make changes to this bug.