Bug 728950 - IPA should start even if certs are expired
Summary: IPA should start even if certs are expired
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 728592 733440
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-08 13:13 UTC by Jenny Severance
Modified: 2015-01-04 23:50 UTC (History)
4 users (show)

Fixed In Version: ipa-2.1.1-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: If the 389-ds certificate has expired the IPA services will not start. Consequence: Without 389-ds it is not possible to renew a certificate. Fix: 389-ds added new options to control how it reacts to an expired certificate. The default is to warn and start. Result: This provides a degraded operations mode where the certificate can be renewed.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:29:30 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Jenny Severance 2011-08-08 13:13:05 UTC
Description of problem:

From Simo:

We had a few reports where users had a hardware failure (or suspended testing IPA, or certmonger failed and was not restarted) and when they were able to put an IPA server back online the certs were expired.

In this case we currently fail to start completely as DS refuses to start with expired tickets. This means that also the whole DNS and authentication infrastructure fails to operate,

This is not acceptable. Although running with expired certs is really bad. Not being able to start basic network and auth infrastructure is much worse.

It is ok not to allow SSL connection to LDAP at all as long as DS comes up at least for port 389 and works with LDAP+GSSAPI protection (which is used by clients like SSSD, the DNS server and replication). 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Dmitri Pal 2011-08-08 21:42:39 UTC
https://fedorahosted.org/freeipa/ticket/1576

See the ticket for links to other related BZ.

Comment 2 Martin Kosek 2011-09-01 06:41:26 UTC
Fixed upstream:

master:f59e8145fa0ee131aafa1ce58e4ac729240e3418
ipa-2-1: 01dcfe4b3e303f59c04deb0f5f1e4c85cee69df3

Tickets we depend on were put to MODIFIED too.

Comment 4 Rob Crittenden 2011-11-01 01:24:38 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: If the 389-ds certificate has expired the IPA services will not start.
Consequence: Without 389-ds it is not possible to renew a certificate.
Fix: 389-ds added new options to control how it reacts to an expired certificate. The default is to warn and start.
Result: This provides a degraded operations mode where the certificate can be renewed.

Comment 5 Gowrishankar Rajaiyan 2011-11-07 05:14:33 UTC
1. The 389-ds issue has been marked as "VERIFIED" - https://bugzilla.redhat.com/show_bug.cgi?id=728592.

"nsslapd-validate-cert: warn"


2. The certificate validity period is now set to 2 years. 

[root@decepticons ~]# date
Mon Nov  7 10:33:47 IST 2011
[root@decepticons ~]# 


[root@decepticons ~]# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20111107044914':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM//pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
	subject: CN=decepticons.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
	expires: 2013-11-07 04:49:13 UTC      <<<<<<<<<<<<

3. ipa-server now depends on 389-ds-base 1.2.9.13-1.el6

Dependencies Resolved

=====================================================================================================================================================================
 Package                                         Arch                       Version                                          Repository                         Size
=====================================================================================================================================================================
Installing:
 ipa-server                                      x86_64                     2.1.3-8.el6                                      beaker-Server                     977 k
Installing for dependencies:
 389-ds-base                                     x86_64                     1.2.9.13-1.el6                                   beaker-Server                     1.4 M
 389-ds-base-libs                                x86_64                     1.2.9.13-1.el6                                   beaker-Server                     361 k


Hence, marking this as VERIFIED.


# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 6 errata-xmlrpc 2011-12-06 18:29:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.