Description of problem:
We had a few reports where users had a hardware failure (or suspended testing IPA, or certmonger failed and was not restarted) and when they were able to put an IPA server back online the certs were expired.
In this case we currently fail to start completely as DS refuses to start with expired tickets. This means that also the whole DNS and authentication infrastructure fails to operate,
This is not acceptable. Although running with expired certs is really bad. Not being able to start basic network and auth infrastructure is much worse.
It is ok not to allow SSL connection to LDAP at all as long as DS comes up at least for port 389 and works with LDAP+GSSAPI protection (which is used by clients like SSSD, the DNS server and replication).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
See the ticket for links to other related BZ.
Tickets we depend on were put to MODIFIED too.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Cause: If the 389-ds certificate has expired the IPA services will not start.
Consequence: Without 389-ds it is not possible to renew a certificate.
Fix: 389-ds added new options to control how it reacts to an expired certificate. The default is to warn and start.
Result: This provides a degraded operations mode where the certificate can be renewed.
1. The 389-ds issue has been marked as "VERIFIED" - https://bugzilla.redhat.com/show_bug.cgi?id=728592.
2. The certificate validity period is now set to 2 years.
[root@decepticons ~]# date
Mon Nov 7 10:33:47 IST 2011
[root@decepticons ~]# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20111107044914':
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM//pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
expires: 2013-11-07 04:49:13 UTC <<<<<<<<<<<<
3. ipa-server now depends on 389-ds-base 188.8.131.52-1.el6
Package Arch Version Repository Size
ipa-server x86_64 2.1.3-8.el6 beaker-Server 977 k
Installing for dependencies:
389-ds-base x86_64 184.108.40.206-1.el6 beaker-Server 1.4 M
389-ds-base-libs x86_64 220.127.116.11-1.el6 beaker-Server 361 k
Hence, marking this as VERIFIED.
# rpm -qi ipa-server | head
Name : ipa-server Relocations: (not relocatable)
Version : 2.1.3 Vendor: Red Hat, Inc.
Release : 8.el6 Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST Build Host: x86-012.build.bos.redhat.com
Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm
Size : 3381421 License: GPLv3+
Signature : (none)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://www.freeipa.org/
Summary : The IPA authentication server
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.