RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2162677 - RFE: Implement support for PKI certificate and request pruning
Summary: RFE: Implement support for PKI certificate and request pruning
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: ipa
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: ---
Assignee: Rob Crittenden
QA Contact: Mohammad Rizwan
David Voženílek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-20 13:20 UTC by Rob Crittenden
Modified: 2023-12-12 16:30 UTC (History)
8 users (show)

Fixed In Version: ipa-4.10.1-4.el9
Doc Type: Enhancement
Doc Text:
.ACME supports automatically removing expired certificates as a Technology Preview The Automated Certificate Management Environment (ACME) service in Identity Management (IdM) adds an automatic mechanism to purge expired certificates from the certificate authority (CA) as a Technology Preview. As a result, ACME can now automatically remove expired certificates at specified intervals. Removing expired certificates is disabled by default. To enable it, enter: With this enhancement, ACME can now automatically remove expired certificates at specified intervals. Removing expired certificates is disabled by default. To enable it, enter: ---- # ipa-acme-manage pruning --enable --cron "0 0 1 * *" ---- This removes expired certificates on the first day of every month at midnight. NOTE: Expired certificates are removed after their retention period. By default, this is 30 days after expiry. For more details, see the `ipa-acme-manage(1)` man page.
Clone Of:
Environment:
Last Closed: 2023-05-09 07:33:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 9294 0 None None None 2023-01-27 12:02:51 UTC
Red Hat Issue Tracker FREEIPA-3052 0 None None None 2023-01-20 13:26:13 UTC
Red Hat Issue Tracker FREEIPA-9367 0 None None None 2023-01-20 13:22:02 UTC
Red Hat Issue Tracker RHELPLAN-145900 0 None None None 2023-01-20 13:22:05 UTC
Red Hat Product Errata RHBA-2023:2205 0 None None None 2023-05-09 07:33:35 UTC

Description Rob Crittenden 2023-01-20 13:20:45 UTC 
Description of problem:

pki-core has added the ability to remove (prune) expired certificates and requests. This is particularly important when using short-lived certificates with a protocol like ACME.

The new feature is documented at:

https://github.com/edewata/pki/blob/pruning/docs/changes/v11.3.0/Server-Changes.adoc
https://github.com/dogtagpki/pki/wiki/CA-Database-Pruning
https://github.com/dogtagpki/pki/wiki/Configuring-CA-Database-Pruning

IPA should extend the ipa-acme-manage command to include enabling and configuring certificate and request pruning.

A pre-requisite for this is an IPA server installed with random serial number v3 support enabled.
Comment 2 Rob Crittenden 2023-01-20 13:31:32 UTC 
Upstream design PR https://github.com/freeipa/freeipa/pull/6600
Comment 3 Rob Crittenden 2023-01-26 22:35:21 UTC 
Design PR
master:
https://pagure.io/freeipa/c/5d9f59038db8c8b133f3d75ce7d98324daf5b403
Comment 4 Florence Blanc-Renaud 2023-01-27 12:03:23 UTC 
Design PR
ipa-4-10:
https://pagure.io/freeipa/c/51b1c22d025bf40e9ef488bb0faf0c8dff303ccd
Comment 5 Florence Blanc-Renaud 2023-02-02 06:38:34 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/78298fd4e18f45f77691914ef7b406aa08fc7776
https://pagure.io/freeipa/c/7d1d91fc86c49fcaaec05c772add13af36fc0209
Comment 7 Florence Blanc-Renaud 2023-02-02 12:44:19 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/9246a8a003b2b0062e07c289cd7cde8fe902b16f
https://pagure.io/freeipa/c/f10d1a0f84ed0f16ab4a1469f16ffadb3e79e59e
Comment 8 Florence Blanc-Renaud 2023-02-05 09:33:44 UTC 
Additional commit for a test fix:
master:
https://pagure.io/freeipa/c/414b5fe3520e5e733f26fa1e55bee8501598e261

ipa-4-10:
https://pagure.io/freeipa/c/d24b69981d94fce7b1e1aa4a5c1ab88a123f96b5
Comment 9 Rob Crittenden 2023-02-13 19:31:24 UTC 
Tests

master:
https://pagure.io/freeipa/c/828f6e7c927b6fc018161ff19851fb9c746be792
Comment 10 Rob Crittenden 2023-02-13 22:33:49 UTC 
ipa-4-10:
https://pagure.io/freeipa/c/0f77b359e241fc4055fb8d785e18f96338451ebf
Comment 15 Florence Blanc-Renaud 2023-02-22 08:13:34 UTC 
Fix for the test:
master:
https://pagure.io/freeipa/c/e76b219c21d53b6bccce4ea3d18e2b61ac835e1f

ipa-4-10:
https://pagure.io/freeipa/c/e7c642bafcead5ce344f3b129d916045b00d0c1e
Comment 16 Mohammad Rizwan 2023-02-23 14:32:09 UTC 
version:
ipa-server-4.10.1-5.el9.x86_64


machine='x86_64')
2023-02-23T13:47:10 euid: 0, egid: 0
2023-02-23T13:47:10 working dir: /tmp/wp/freeipa
2023-02-23T13:47:10 sys.version: 3.9.16 (main, Dec  8 2022, 00:00:00) 
2023-02-23T13:47:10 [GCC 11.3.1 20221121 (Red Hat 11.3.1-4)]
2023-02-23T13:47:10 ============================= test session starts ==============================
2023-02-23T13:47:10 platform linux -- Python 3.9.16, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
2023-02-23T13:47:10 cachedir: .pytest_cache
2023-02-23T13:47:10 metadata: {'Python': '3.9.16', 'Platform': 'Linux-5.14.0-277.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '3.10.1', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '2.0.4', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.6.0'}}
2023-02-23T13:47:10 rootdir: /tmp/wp/freeipa, inifile: tox.ini
2023-02-23T13:47:10 plugins: metadata-2.0.4, html-1.22.1, multihost-3.0, sourceorder-0.6.0
2023-02-23T13:47:12 collecting ... collected 9 items
2023-02-23T13:47:12 
2023-02-23T13:56:58 ipatests/test_integration/test_acme.py::TestACMEPrune::test_enable_pruning PASSED [ 11%]
2023-02-23T13:57:21 ipatests/test_integration/test_acme.py::TestACMEPrune::test_pruning_options PASSED [ 22%]
2023-02-23T13:57:28 ipatests/test_integration/test_acme.py::TestACMEPrune::test_pruning_negative_options PASSED [ 33%]
2023-02-23T13:59:18 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_cert_manual PASSED [ 44%]
2023-02-23T14:05:37 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_cert_cron PASSED [ 55%]
2023-02-23T14:11:53 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_cert_retention_unit PASSED [ 66%]
2023-02-23T14:13:41 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_cert_search_size_limit PASSED [ 77%]
2023-02-23T14:14:27 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_config_show PASSED [ 88%]
2023-02-23T14:15:41 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_disable PASSED [100%]
2023-02-23T14:15:41 
2023-02-23T14:15:41 ------------------ generated xml file: /tmp/wp/twd/junit.xml -------------------
2023-02-23T14:15:41 ------------- generated html file: file:///tmp/wp/twd/report.html --------------
2023-02-23T14:15:41 ========================= 9 passed in 1711.74 seconds ==========================

Automation passed, hence marking the bug as verified.
Comment 19 errata-xmlrpc 2023-05-09 07:33:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2205
Note You need to log in before you can comment on or make changes to this bug.