Bug 728950 – IPA should start even if certs are expired

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 728950 - IPA should start even if certs are expired

Summary:	IPA should start even if certs are expired

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	728592 733440
Blocks:
	Show dependency tree / graph

Reported:	2011-08-08 09:13 EDT by Jenny Galipeau
Modified:	2015-01-04 18:50 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	ipa-2.1.1-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: If the 389-ds certificate has expired the IPA services will not start. Consequence: Without 389-ds it is not possible to renew a certificate. Fix: 389-ds added new options to control how it reacts to an expired certificate. The default is to warn and start. Result: This provides a degraded operations mode where the certificate can be renewed.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-12-06 13:29:30 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-05 20:23:31 EST

Groups: None (edit)

Description Jenny Galipeau 2011-08-08 09:13:05 EDT

Description of problem:

From Simo:

We had a few reports where users had a hardware failure (or suspended testing IPA, or certmonger failed and was not restarted) and when they were able to put an IPA server back online the certs were expired.

In this case we currently fail to start completely as DS refuses to start with expired tickets. This means that also the whole DNS and authentication infrastructure fails to operate,

This is not acceptable. Although running with expired certs is really bad. Not being able to start basic network and auth infrastructure is much worse.

It is ok not to allow SSL connection to LDAP at all as long as DS comes up at least for port 389 and works with LDAP+GSSAPI protection (which is used by clients like SSSD, the DNS server and replication). 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Dmitri Pal 2011-08-08 17:42:39 EDT

https://fedorahosted.org/freeipa/ticket/1576

See the ticket for links to other related BZ.

Comment 2 Martin Kosek 2011-09-01 02:41:26 EDT

Fixed upstream:

master:f59e8145fa0ee131aafa1ce58e4ac729240e3418
ipa-2-1: 01dcfe4b3e303f59c04deb0f5f1e4c85cee69df3

Tickets we depend on were put to MODIFIED too.

Comment 4 Rob Crittenden 2011-10-31 21:24:38 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: If the 389-ds certificate has expired the IPA services will not start.
Consequence: Without 389-ds it is not possible to renew a certificate.
Fix: 389-ds added new options to control how it reacts to an expired certificate. The default is to warn and start.
Result: This provides a degraded operations mode where the certificate can be renewed.

Comment 5 Gowrishankar Rajaiyan 2011-11-07 00:14:33 EST

1. The 389-ds issue has been marked as "VERIFIED" - https://bugzilla.redhat.com/show_bug.cgi?id=728592.

"nsslapd-validate-cert: warn"


2. The certificate validity period is now set to 2 years. 

[root@decepticons ~]# date
Mon Nov  7 10:33:47 IST 2011
[root@decepticons ~]# 


[root@decepticons ~]# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20111107044914':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM//pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
	subject: CN=decepticons.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
	expires: 2013-11-07 04:49:13 UTC      <<<<<<<<<<<<

3. ipa-server now depends on 389-ds-base 1.2.9.13-1.el6

Dependencies Resolved

=====================================================================================================================================================================
 Package                                         Arch                       Version                                          Repository                         Size
=====================================================================================================================================================================
Installing:
 ipa-server                                      x86_64                     2.1.3-8.el6                                      beaker-Server                     977 k
Installing for dependencies:
 389-ds-base                                     x86_64                     1.2.9.13-1.el6                                   beaker-Server                     1.4 M
 389-ds-base-libs                                x86_64                     1.2.9.13-1.el6                                   beaker-Server                     361 k


Hence, marking this as VERIFIED.


# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 6 errata-xmlrpc 2011-12-06 13:29:30 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.