Bug 868009 - CA did not properly regenerate certs
CA did not properly regenerate certs
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-18 17:02 EDT by Jason Montleon
Modified: 2012-10-19 12:55 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-19 12:55:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Montleon 2012-10-18 17:02:07 EDT
Description of problem:
Following the steps at:
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ca_renewal
resulted in broken certs

Version-Release number of selected component (if applicable):
freeipa-server-trust-ad-3.0.0-2.fc18.x86_64
freeipa-client-3.0.0-2.fc18.x86_64
freeipa-server-selinux-3.0.0-2.fc18.x86_64
freeipa-admintools-3.0.0-2.fc18.x86_64
freeipa-server-3.0.0-2.fc18.x86_64
freeipa-python-3.0.0-2.fc18.x86_64

How reproducible:
Always

Steps to Reproduce:
1. ipa-server-install
2. getcert list | grep expires
3. date MMDDhhmmCCYY to 6 days before certs expire
  
Actual results:
	status: CA_UNREACHABLE
	status: CA_UNREACHABLE
	status: CA_UNREACHABLE
	status: CA_UNREACHABLE
	status: CA_UNREACHABLE
	status: CA_UNREACHABLE
	status: CA_UNREACHABLE
	status: CA_UNREACHABLE

Expected results:
Certs regenerate properly

Additional info:
Certs were briefly in the state SUBMITTED but quickly turned to the above.
Comment 1 Rob Crittenden 2012-10-19 09:34:27 EDT
During renewal there should have been a lot of syslog activity. Can you attach /var/log/messages?

Can you also include the output of date and getcert list?
Comment 2 Jason Montleon 2012-10-19 12:35:19 EDT
Rob, looking back at the logs to make sure that I had what you needed, I realized I made a critical error in the steps above. I set the date AFTER the certs expired (I had meant to set the time to ~10am 2014-10-02, and instead set it to ~10am 2024-10-08, which was post expiration)

If you still want /var/log/messages from the run I can provide it, but I suspect doing what I did does some very bad things that would not occur in normal operation. This can probably be closed - I will try it again and do it right this time - if I still encounter errors I will open a new ticket.
Comment 3 Jason Montleon 2012-10-19 12:55:44 EDT
Confirmed - works properly, when you follow the steps properly.

Note You need to log in before you can comment on or make changes to this bug.