freeipa

Clone
Source Code
GIT

#4765 RHEL7.1 ipa automatic CA cert renewal stuck in submitting state
Closed: Fixed None Opened 9 years ago by jcholast.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1166931

Description of problem:

Automatic CA Cert renewal for self signed IPA is hanging in a submitting state.

[root@vm4 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20141122001822':
        status: SUBMITTING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='358974620032'
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.TEST
        subject: CN=Certificate Authority,O=EXAMPLE.TEST
        expires: 2034-11-22 00:17:49 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

I walked the time forward to within 6 days of CA expiration and it goes through
to this point.  But, certmonger is trying repeatedly to submit and is never
getting passed this state.




Version-Release number of selected component (if applicable):

ipa-server-4.1.0-7.el7.x86_64
certmonger-0.75.14-2.el7.x86_64


How reproducible:


Steps to Reproduce:
1.  Install IPA Master
2.  getcert list | grep expires
3.  Change date to closest to let certs expire as expected
4.  getcert list
5.  Check that certs submit and renew
6.  getcert resubmit -i <id>  for any certs that don't submit
7.  repeat until all certs in MONITORING state
8.  change date forward again and repeat until you reach CA cert expiration


Actual results:
stuck in submitting state shown above.  I don't see it go to monitoring state.

Expected results:
cert should change from submitting to monitoring.

Additional info:

[root@vm4 ~]# tail -10 /var/log/messages
Nov 16 01:42:09 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
Nov 16 01:42:09 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 5
Nov 16 01:42:10 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
Nov 16 01:42:10 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 5
Nov 16 01:42:12 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
Nov 16 01:42:13 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 5
Nov 16 01:42:14 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
Nov 16 01:42:14 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 5
Nov 16 01:42:15 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
Nov 16 01:42:15 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 5

master:

  • 423c3e8 Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent

ipa-4-1:

  • 9bfb16c Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1.3
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
dkupka
None
https://bugzilla.redhat.com/show_bug.cgi?id=1166931
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.