Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 918335
Description of problem: When a cert being renewed, wrong trust argument being assigned to renewed certs Version-Release number of selected component (if applicable): [root@apple (RH6.4-i386) ipa-autorenewcert] rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-25.el6.i686 ipa-server-3.0.0-25.el6.i686 [root@apple (RH6.4-i386) ipa-autorenewcert] rpm -qa | grep certmonger certmonger-0.61-3.el6.i686 How reproducible: always Steps to Reproduce: 1. install ipa server 2. check trust arguments use "certutil -L -d /var/lib/pki-ca/alias" 3. adjust system time to trigger automatic renew 4. check trust arguments again with same command here is what I have: ============== before auto renew ============== [root@apple (RH6.4-i386) alias] certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,Pu ============== after auto renew ================== [root@apple (RH6.4-i386) alias] certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,Pu Additional info: summary: auditSigningCert cert-pki-ca u,u,Pu -> u,u,u subsystemCert cert-pki-ca u,u,u -> u,u,Pu I haven't check the other ipa certs yet. I will post my finding here as comment
I can't reproduce this on Fedora 18 or Fedora 19 with current FreeIPA from master branch.
It is possible it is RHEL-specific.
As Jan found out, this error is specific to RHEL only. Closing upstream ticket.
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)
Login to comment on this ticket.