Bug 964130 - ipa cert automatic renew: wrong trust argument assigned to renewed certs
ipa cert automatic renew: wrong trust argument assigned to renewed certs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.5
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
: ZStream
Depends On: 952241
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-17 06:30 EDT by Libor Miksik
Modified: 2014-02-20 10:24 EST (History)
10 users (show)

See Also:
Fixed In Version: ipa-3.0.0-26.el6_4.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-13 04:09:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Libor Miksik 2013-05-17 06:30:18 EDT
This bug has been copied from bug #952241 and has been proposed
to be backported to 6.4 z-stream (EUS).
Comment 5 Steeve Goveas 2013-05-27 06:31:10 EDT
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "caSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:51 2013
            Not After : Fri May 27 07:37:51 2033
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "Server-Cert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:55 2013
            Not After : Sun May 17 07:37:55 2015
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:56 2013
            Not After : Sun May 17 07:37:56 2015
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:55 2013
            Not After : Sun May 17 07:37:55 2015
[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:55 2013
            Not After : Sun May 17 07:37:55 2015

[root@server1 ~]# date
Mon May 27 15:43:09 IST 2013

[root@server1 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca: [  OK  ]
Stopping HTTP Service
Stopping httpd: [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached: [  OK  ]
Stopping DNS Service
Stopping named: .[  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server: [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC: [  OK  ]
Stopping Directory Service
Shutting down dirsrv: 
    IPALAB-QE...[  OK  ]
    PKI-IPA...[  OK  ]

[root@server1 ~]# date -s "May 16 15:43:09 IST 2015"
Sat May 16 15:43:09 IST 2015

[root@server1 ~]# ipactl start
Starting Directory Service
Starting dirsrv: 
    IPALAB-QE...[  OK  ]
    PKI-IPA...[  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC: [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [  OK  ]
Starting DNS Service
Starting named: [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached: [  OK  ]
Starting HTTP Service
Starting httpd: [  OK  ]
Starting CA Service
Starting pki-ca: [  OK  ]

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "caSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Mon May 27 07:37:51 2013
            Not After : Fri May 27 07:37:51 2033

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Sat May 16 10:15:14 2015
            Not After : Fri May 05 10:15:14 2017

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" | grep -i "Not "
            Not Before: Sat May 16 10:14:14 2015
            Not After : Fri May 05 10:14:14 2017
            Not Before: Mon May 27 07:37:55 2013
            Not After : Sun May 17 07:37:55 2015

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep -i "Not "
            Not Before: Sat May 16 10:14:14 2015
            Not After : Fri May 05 10:14:14 2017

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias -n "Server-Cert cert-pki-ca" | grep -i "Not "
            Not Before: Sat May 16 10:14:14 2015
            Not After : Fri May 05 10:14:14 2017

[root@server1 ~]# certutil -L -d /var/lib/pki-ca/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
Server-Cert cert-pki-ca                                      u,u,u
subsystemCert cert-pki-ca                                    u,u,u


[root@server1 ~]# tail -f /var/log/messages
May 16 06:14:04 hp-xw6400-01 named[18197]: client 10.16.65.2#42791: RFC 1918 response from Internet for 76.113.3.10.in-addr.arpa
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20150517073755.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20150517073756.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20150517073755.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" will not be valid after 20150517073840.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20150517073755.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-IPALAB-QE" will not be valid after 20150528073905.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-PKI-IPA" will not be valid after 20150528073947.
May 16 06:14:14 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/httpd/alias" will not be valid after 20150528074120.
May 16 06:14:17 hp-xw6400-01 certmonger: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved.
May 16 06:14:19 hp-xw6400-01 python: certmonger stopping pki-cad
May 16 06:14:21 hp-xw6400-01 certmonger: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)).
May 16 06:14:54 hp-xw6400-01 python: Starting pki-cad
May 16 06:14:56 hp-xw6400-01 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved.
May 16 06:14:59 hp-xw6400-01 python: certmonger stopping pki-cad
May 16 06:15:34 hp-xw6400-01 python: Updated trust on certificate auditSigningCert cert-pki-ca in /var/lib/pki-ca/alias
May 16 06:15:34 hp-xw6400-01 python: Starting pki-cad
May 16 06:15:36 hp-xw6400-01 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved.
May 16 06:15:42 hp-xw6400-01 certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
May 16 06:15:45 hp-xw6400-01 python: certmonger stopping pki-cad
May 16 06:16:20 hp-xw6400-01 python: Starting pki-cad
May 16 06:16:22 hp-xw6400-01 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved.
May 16 06:16:26 hp-xw6400-01 python: certmonger restarted dirsrv instance 'IPALAB-QE'
May 16 06:16:27 hp-xw6400-01 named[18197]: LDAP error: Can't contact LDAP server
May 16 06:16:27 hp-xw6400-01 named[18197]: connection to the LDAP server was lost
May 16 06:16:27 hp-xw6400-01 named[18197]: bind to LDAP server failed: Can't contact LDAP server
May 16 06:16:27 hp-xw6400-01 named[18197]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s
May 16 06:16:30 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-IPALAB-QE" issued by CA and saved.
May 16 06:16:35 hp-xw6400-01 python: certmonger restarted httpd
May 16 06:16:37 hp-xw6400-01 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.

[root@server1 ~]# ipa cert-show 15
  Certificate: MIIDaDCCAlCgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlJUEFM
QUIuUUUxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA1MTYx
MDE0MTRaFw0xNzA1MDUxMDE0MTRaMC0xEjAQBgNVBAoTCUlQQUxBQi5RRTEXMBUG
A1UEAxMOT0NTUCBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC2yqKNoXqX11AiQ5UGr1dh0uE8PHz+BKux7RINiCi7thu0tcAqaveujQ3j
xDJIebx0YGnVNQZGyVpXgAZtUHuO+dPPKtYF1Bg8vq4ibbZeVoITf7dEHa+c0PjU
MPYp27CXhX3kDQWpk0KVAW/6HetWLXf3BMj/3M2cql1TCQ5nlq9WkftgqRXTtKwx
Ds16VxK+OJeuU2QorKFN3OM7X0oOp2XxhfMZRVNSo+JLTo4kDtX0eCAsle1ClSpp
UCIYfkUbIRJndDcmTrWcSssaxc1jiYOMlTINnkFzl+bsCmnzLkSlj1PpEIT/UknY
lzkVojdG0jscyrZ9wFTyL80SwBPzAgMBAAGjgYswgYgwHwYDVR0jBBgwFoAUpYLs
V/PYioz9XttyXGsSi4GlKRQwDwYJKwYBBQUHMAEFBAIFADA/BggrBgEFBQcBAQQz
MDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9zZXJ2ZXIxLmlwYWxhYi5xZTo4MC9jYS9v
Y3NwMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQCF5Juu
/e2mFhAH7asj3jf5ygkrksNAv3zNRVc30KDdQxi/Kn1/zMk0lFjqLWtp0BWBLGme
D07ADfgY0asDDcuB5HrV+TyLN3eOYQDfVhUtemcJNHJoxQzKVOviqhZ90aewsW4F
Ww98zxC6bpzmfr+tVGv51g5ym30ZI3SmPaaY4sA8sJAT1i45NhY24IBI98oSEEeZ
BUxU+Rgg4n/D8srN0T7/1HS3frvJprIQe7WHWtBhm7jCwIXhAIVrN3J8LQa0PK5v
i5Qg3UV6f5/wR/xV6M75sM85FUjV78OZh7tpDhqd4fDow95LqRbyNNWT/cDrabm5
Jql5zeU2ZD68udCV
  Subject: CN=OCSP Subsystem,O=IPALAB.QE
  Issuer: CN=Certificate Authority,O=IPALAB.QE
  Not Before: Sat May 16 10:14:14 2015 UTC
  Not After: Fri May 05 10:14:14 2017 UTC
  Fingerprint (MD5): 95:7d:68:09:e2:c8:88:7d:a0:66:32:9b:60:ae:24:3a
  Fingerprint (SHA1): fb:1f:09:8e:a8:34:5d:c4:b5:89:95:bb:a1:fe:ed:b0:c5:63:71:18
  Serial number (hex): 0xF
  Serial number: 15

[root@server1 ~]# tail -20 /var/log/httpd/error_log
[Sat May 16 15:45:41 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat May 16 15:45:42 2015] [notice] Digest: generating secret for digest authentication ...
[Sat May 16 15:45:42 2015] [notice] Digest: done
[Sat May 16 15:45:42 2015] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
[Sat May 16 15:45:44 2015] [error] ipa: INFO: *** PROCESS START ***
[Sat May 16 15:45:44 2015] [error] ipa: INFO: *** PROCESS START ***
[Sat May 16 15:46:35 2015] [notice] caught SIGTERM, shutting down
[Sat May 16 15:46:36 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Sat May 16 15:46:36 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat May 16 15:46:37 2015] [notice] Digest: generating secret for digest authentication ...
[Sat May 16 15:46:37 2015] [notice] Digest: done
[Sat May 16 15:46:37 2015] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
[Sat May 16 15:46:39 2015] [error] ipa: INFO: *** PROCESS START ***
[Sat May 16 15:46:39 2015] [error] ipa: INFO: *** PROCESS START ***
[Sat May 16 15:51:19 2015] [error] ipa: INFO: request 'http://server1.ipalab.qe:80/ca/ee/ca/checkRequest'
[Sat May 16 15:51:19 2015] [error] ipa: INFO: admin@IPALAB.QE: cert_status(u'1'): SUCCESS
[Sat May 16 15:51:25 2015] [error] ipa: INFO: request 'http://server1.ipalab.qe:80/ca/ee/ca/checkRequest'
[Sat May 16 15:51:25 2015] [error] ipa: INFO: admin@IPALAB.QE: cert_status(u'2'): SUCCESS
[Sat May 16 15:51:41 2015] [error] ipa: INFO: admin@IPALAB.QE: cert_show(u'5'): SUCCESS
[Sat May 16 15:54:40 2015] [error] ipa: INFO: admin@IPALAB.QE: cert_show(u'15'): SUCCESS

Verified in version 
[root@server1 ~]# rpm -q ipa-server
ipa-server-3.0.0-26.el6_4.4.x86_64
Comment 7 errata-xmlrpc 2013-06-13 04:09:45 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0945.html

Note You need to log in before you can comment on or make changes to this bug.