freeipa

Clone
Source Code
GIT

#4820 IPA externally signed CA cert expiration warning missing from log
Closed: Fixed None Opened 9 years ago by jcholast.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1178128

Description of problem:

When IPA server's externally signed CA cert is about to expire, I'd expect to
see a message in /var/log/messages.  I walked the server's time slowly from 4
weeks out to the expiration time an never saw a message.  All I saw was getcert
change:

[root@rhel7-9 log]# getcert list -i 20141216222410
Number of certificates and requests being tracked: 8.
Request ID '20141216222410':
        status: MONITORING
        ca-error: Updated certificate not available
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='285787707402'
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Primary Fake CA,O=fakerealm1
        subject: CN=Certificate Authority,O=EXAMPLE.COM
        expires: 2019-12-16 22:21:55 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


Version-Release number of selected component (if applicable):
ipa-server-4.1.0-13.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Start IPA server install requiring externally signed CA:

ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a
Secret123 -p Secret123 --external-ca -U

2.  Setup Fake external CA for signing

SERNUM=$RANDOM

SERNUM=$(( SERNUM += 1 ))
echo -e "y\n10\ny\n" | \
certutil -S -d . \
    -n RootCA \
    -s "CN=MyRootCA, O=fakerealm1" \
    -x \
    -t "CTu,CTu,CTu" \
    -g 2048 \
    -m $SERNUM\
    -v 60 \
    -z /etc/group \
    -2 \
    --keyUsage certSigning \
    --nsCertType sslCA,smimeCA,objectSigningCA \
    -f mypass1

3.  Sign IPA CSR and export fake CA cert

SERNUM=$(( SERNUM += 1 ))
echo -e "y\n10\ny\n" | \
certutil -C -d . \
    -c RootCA \
    -m $SERNUM \
    -v 60 \
    -2 \
    --keyUsage digitalSignature,nonRepudiation,certSigning \
    --nsCertType sslCA,smimeCA,objectSigningCA \
    -i /root/ipa.csr \
    -o /root/ipa.crt \
    -f mypass1 \
    -a

certutil -L -d . -n "RootCA" -a >> /root/ipacacert.asc

4.  Finish IPA install

cd  /root

ipa-server-install --setup-dns --forwarder=192.168.122.1 \
    -r EXAMPLE.TEST -a Secret123 -p Secret123 \
    --external-cert-file=/root/ipa.crt \
    --external-cert-file=/root/ipacacert.asc -U

5.  Walk time forward with date command while making sure certs expire

date <soonest_expiration_minus_4_weeks>
getcert list | egrep "status|expires|Request|subject|ca-error"

6.  When you get within 4 weeks of CA expiring, check /var/log/messages for
message

grep "IPA CA certificate is about to expire, use ipa-cacert-manage to renew it"
/var/log/messages

Actual results:

no warning seen in log

Expected results:

Should see:
"IPA CA certificate is about to expire, use ipa-cacert-manage to renew it"


Additional info:

This is a regression caused by the fix for #4629.

Requires by downstream release (RHEL), bumping priority.

master:

  • a63df8f Fix CA certificate renewal syslog alert

ipa-4-1:

  • 818136b Fix CA certificate renewal syslog alert

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1.3
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
IPA
None
1
None
None
dkupka
None
https://bugzilla.redhat.com/show_bug.cgi?id=1178128
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.