https://bugzilla.redhat.com/show_bug.cgi?id=883484 (Red Hat Enterprise Linux 6)
Description of problem: I have seen the following failures in the past week: 1. cert renew problem: some certs (randomly) not get renewed while other certs that have same "Not After" vales are being renewed. 2. DNS A record problem: sometimes, ipa server reports "ipa: ERROR: Host does not have corresponding DNS A record", when a similar "ipa service-add <service>" command success before system time adjusted. And after the test script finished running, the exact same command success. 3. Power test for cert renew: I want to make sure the automatic renew feature continue to work after all certs are being renewed at least once. The test result is always failed. Sometimes all certs are being renewed two times, and failed at third round of renewal test. Most of time, they failed at second round of test. What fustrate me is the test results are different almost everytime. I have been debuging and restruct my test script but I have seen NO logic error for my test script. I really need deveopers help to find out the exact cause of the problem. It is possible I have wrong logic flow or even wrong understanding of the feature. To get started, I want to focus on one specific error first: caSSLServiceCert renew failed. I will post test log and host information as comment of this bug report Thanks Version-Release number of selected component (if applicable): [root@fig (RH6.4-x86_64) ipa-autorenewcert] rpm -qi ipa-server Name : ipa-server Relocations: (not relocatable) Version : 3.0.0 Vendor: Red Hat, Inc. Release : 9.el6 Build Date: Tue 27 Nov 2012 06:28:28 AM PST Install Date: Mon 03 Dec 2012 11:05:50 AM PST Build Host: x86-001.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-3.0.0-9.el6.src.rpm Size : 4366857 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server Description : IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy (configuration settings, access control information) and Audit (events, logs, analysis thereof). If you are installing an IPA server you need to install this package (in other words, most people should NOT install this package).
Yi tells me he has mostly worked out the issues and is doing final testing.
Nalin made changes in certmonger so we could serialize access to the NSS databases and prevent corruption. This also has the effect of making it less likely for us to trip over ourselves trying to renew and restart all the services at the same time.
master: 045b6e6
ipa-3-1: 0b462b1
ipa-3-0: fa6f0ca
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0.3 (bug fixing)
Login to comment on this ticket.