Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 964130

Summary: ipa cert automatic renew: wrong trust argument assigned to renewed certs
Product: Red Hat Enterprise Linux 6 Reporter: Libor Miksik <lmiksik>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: dpal, emaldona, jgalipea, mkosek, nalin, nsoman, pm-eus, rcritten, sgoveas, yzhang
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-26.el6_4.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-13 08:09:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 952241    
Bug Blocks:    

Description Libor Miksik 2013-05-17 10:30:18 UTC 
This bug has been copied from bug #952241 and has been proposed
to be backported to 6.4 z-stream (EUS).
Comment 5 Steeve Goveas 2013-05-27 10:31:10 UTC 
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "caSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:51 2013
            Not After : Fri May 27 07:37:51 2033
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "Server-Cert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:55 2013
            Not After : Sun May 17 07:37:55 2015
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:56 2013
            Not After : Sun May 17 07:37:56 2015
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:55 2013
            Not After : Sun May 17 07:37:55 2015
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:55 2013
            Not After : Sun May 17 07:37:55 2015

[root@server1 ~]# date
Mon May 27 15:43:09 IST 2013

[root@server1 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca: [  OK  ]
Stopping HTTP Service
Stopping httpd: [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached: [  OK  ]
Stopping DNS Service
Stopping named: .[  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server: [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC: [  OK  ]
Stopping Directory Service
Shutting down dirsrv: 
    IPALAB-QE...[  OK  ]
    PKI-IPA...[  OK  ]

[root@server1 ~]# date -s "May 16 15:43:09 IST 2015"
Sat May 16 15:43:09 IST 2015

[root@server1 ~]# ipactl start
Starting Directory Service
Starting dirsrv: 
    IPALAB-QE...[  OK  ]
    PKI-IPA...[  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC: [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [  OK  ]
Starting DNS Service
Starting named: [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached: [  OK  ]
Starting HTTP Service
Starting httpd: [  OK  ]
Starting CA Service
Starting pki-ca: [  OK  ]

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "caSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:51 2013
            Not After : Fri May 27 07:37:51 2033

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Sat May 16 10:15:14 2015
            Not After : Fri May 05 10:15:14 2017

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Sat May 16 10:14:14 2015
            Not After : Fri May 05 10:14:14 2017
            Not Before: Mon May 27 07:37:55 2013
            Not After : Sun May 17 07:37:55 2015

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep -i "Not "
            Not Before: Sat May 16 10:14:14 2015
            Not After : Fri May 05 10:14:14 2017

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "Server-Cert cert-pki-ca" | grep -i "Not "
            Not Before: Sat May 16 10:14:14 2015
            Not After : Fri May 05 10:14:14 2017

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
Server-Cert cert-pki-ca                                      u,u,u
subsystemCert cert-pki-ca                                    u,u,u


[root@server1 ~]# tail -f /var/log/messages
May 16 06:14:04 hp-xw6400-01 named[18197]: client 10.16.65.2#42791: RFC 1918 response from Internet for 76.113.3.10.in-addr.arpa
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20150517073755.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20150517073756.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20150517073755.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" will not be valid after 20150517073840.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20150517073755.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-IPALAB-QE" will not be valid after 20150528073905.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-PKI-IPA" will not be valid after 20150528073947.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/httpd/alias" will not be valid after 20150528074120.
May 16 06:14:17 hp-xw6400-01 certmonger: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved.
May 16 06:14:19 hp-xw6400-01 python: certmonger stopping pki-cad
May 16 06:14:21 hp-xw6400-01 certmonger: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)).
May 16 06:14:54 hp-xw6400-01 python: Starting pki-cad
May 16 06:14:56 hp-xw6400-01 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved.
May 16 06:14:59 hp-xw6400-01 python: certmonger stopping pki-cad
May 16 06:15:34 hp-xw6400-01 python: Updated trust on certificate auditSigningCert cert-pki-ca in /var/lib/pki-ca/alias
May 16 06:15:34 hp-xw6400-01 python: Starting pki-cad
May 16 06:15:36 hp-xw6400-01 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved.
May 16 06:15:42 hp-xw6400-01 certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
May 16 06:15:45 hp-xw6400-01 python: certmonger stopping pki-cad
May 16 06:16:20 hp-xw6400-01 python: Starting pki-cad
May 16 06:16:22 hp-xw6400-01 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved.
May 16 06:16:26 hp-xw6400-01 python: certmonger restarted dirsrv instance 'IPALAB-QE'
May 16 06:16:27 hp-xw6400-01 named[18197]: LDAP error: Can't contact LDAP server
May 16 06:16:27 hp-xw6400-01 named[18197]: connection to the LDAP server was lost
May 16 06:16:27 hp-xw6400-01 named[18197]: bind to LDAP server failed: Can't contact LDAP server
May 16 06:16:27 hp-xw6400-01 named[18197]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s
May 16 06:16:30 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-IPALAB-QE" issued by CA and saved.
May 16 06:16:35 hp-xw6400-01 python: certmonger restarted httpd
May 16 06:16:37 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.

[root@server1 ~]# ipa cert-show 15
  Certificate: MIIDaDCCAlCgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlJUEFM
QUIuUUUxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA1MTYx
MDE0MTRaFw0xNzA1MDUxMDE0MTRaMC0xEjAQBgNVBAoTCUlQQUxBQi5RRTEXMBUG
A1UEAxMOT0NTUCBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC2yqKNoXqX11AiQ5UGr1dh0uE8PHz+BKux7RINiCi7thu0tcAqaveujQ3j
xDJIebx0YGnVNQZGyVpXgAZtUHuO+dPPKtYF1Bg8vq4ibbZeVoITf7dEHa+c0PjU
MPYp27CXhX3kDQWpk0KVAW/6HetWLXf3BMj/3M2cql1TCQ5nlq9WkftgqRXTtKwx
Ds16VxK+OJeuU2QorKFN3OM7X0oOp2XxhfMZRVNSo+JLTo4kDtX0eCAsle1ClSpp
UCIYfkUbIRJndDcmTrWcSssaxc1jiYOMlTINnkFzl+bsCmnzLkSlj1PpEIT/UknY
lzkVojdG0jscyrZ9wFTyL80SwBPzAgMBAAGjgYswgYgwHwYDVR0jBBgwFoAUpYLs
V/PYioz9XttyXGsSi4GlKRQwDwYJKwYBBQUHMAEFBAIFADA/BggrBgEFBQcBAQQz
MDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9zZXJ2ZXIxLmlwYWxhYi5xZTo4MC9jYS9v
Y3NwMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQCF5Juu
/e2mFhAH7asj3jf5ygkrksNAv3zNRVc30KDdQxi/Kn1/zMk0lFjqLWtp0BWBLGme
D07ADfgY0asDDcuB5HrV+TyLN3eOYQDfVhUtemcJNHJoxQzKVOviqhZ90aewsW4F
Ww98zxC6bpzmfr+tVGv51g5ym30ZI3SmPaaY4sA8sJAT1i45NhY24IBI98oSEEeZ
BUxU+Rgg4n/D8srN0T7/1HS3frvJprIQe7WHWtBhm7jCwIXhAIVrN3J8LQa0PK5v
i5Qg3UV6f5/wR/xV6M75sM85FUjV78OZh7tpDhqd4fDow95LqRbyNNWT/cDrabm5
Jql5zeU2ZD68udCV
  Subject: CN=OCSP Subsystem,O=IPALAB.QE
  Issuer: CN=Certificate Authority,O=IPALAB.QE
  Not Before: Sat May 16 10:14:14 2015 UTC
  Not After: Fri May 05 10:14:14 2017 UTC
  Fingerprint (MD5): 95:7d:68:09:e2:c8:88:7d:a0:66:32:9b:60:ae:24:3a
  Fingerprint (SHA1): fb:1f:09:8e:a8:34:5d:c4:b5:89:95:bb:a1:fe:ed:b0:c5:63:71:18
  Serial number (hex): 0xF
  Serial number: 15

[root@server1 ~]# tail -20 /var/log/httpd/error_log
[Sat May 16 15:45:41 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat May 16 15:45:42 2015] [notice] Digest: generating secret for digest authentication ...
[Sat May 16 15:45:42 2015] [notice] Digest: done
[Sat May 16 15:45:42 2015] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
[Sat May 16 15:45:44 2015] [error] ipa: INFO: *** PROCESS START ***
[Sat May 16 15:45:44 2015] [error] ipa: INFO: *** PROCESS START ***
[Sat May 16 15:46:35 2015] [notice] caught SIGTERM, shutting down
[Sat May 16 15:46:36 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Sat May 16 15:46:36 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat May 16 15:46:37 2015] [notice] Digest: generating secret for digest authentication ...
[Sat May 16 15:46:37 2015] [notice] Digest: done
[Sat May 16 15:46:37 2015] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
[Sat May 16 15:46:39 2015] [error] ipa: INFO: *** PROCESS START ***
[Sat May 16 15:46:39 2015] [error] ipa: INFO: *** PROCESS START ***
[Sat May 16 15:51:19 2015] [error] ipa: INFO: request 'http://server1.ipalab.qe:80/ca/ee/ca/checkRequest'
[Sat May 16 15:51:19 2015] [error] ipa: INFO: admin: cert_status(u'1'): SUCCESS
[Sat May 16 15:51:25 2015] [error] ipa: INFO: request 'http://server1.ipalab.qe:80/ca/ee/ca/checkRequest'
[Sat May 16 15:51:25 2015] [error] ipa: INFO: admin: cert_status(u'2'): SUCCESS
[Sat May 16 15:51:41 2015] [error] ipa: INFO: admin: cert_show(u'5'): SUCCESS
[Sat May 16 15:54:40 2015] [error] ipa: INFO: admin: cert_show(u'15'): SUCCESS

Verified in version 
[root@server1 ~]# rpm -q ipa-server
ipa-server-3.0.0-26.el6_4.4.x86_64
Comment 7 errata-xmlrpc 2013-06-13 08:09:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0945.html