Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1178128
Description of problem: When IPA server's externally signed CA cert is about to expire, I'd expect to see a message in /var/log/messages. I walked the server's time slowly from 4 weeks out to the expiration time an never saw a message. All I saw was getcert change: [root@rhel7-9 log]# getcert list -i 20141216222410 Number of certificates and requests being tracked: 8. Request ID '20141216222410': status: MONITORING ca-error: Updated certificate not available stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='285787707402' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Primary Fake CA,O=fakerealm1 subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2019-12-16 22:21:55 UTC key usage: digitalSignature,nonRepudiation,keyCertSign pre-save command: post-save command: track: yes auto-renew: yes Version-Release number of selected component (if applicable): ipa-server-4.1.0-13.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Start IPA server install requiring externally signed CA: ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a Secret123 -p Secret123 --external-ca -U 2. Setup Fake external CA for signing SERNUM=$RANDOM SERNUM=$(( SERNUM += 1 )) echo -e "y\n10\ny\n" | \ certutil -S -d . \ -n RootCA \ -s "CN=MyRootCA, O=fakerealm1" \ -x \ -t "CTu,CTu,CTu" \ -g 2048 \ -m $SERNUM\ -v 60 \ -z /etc/group \ -2 \ --keyUsage certSigning \ --nsCertType sslCA,smimeCA,objectSigningCA \ -f mypass1 3. Sign IPA CSR and export fake CA cert SERNUM=$(( SERNUM += 1 )) echo -e "y\n10\ny\n" | \ certutil -C -d . \ -c RootCA \ -m $SERNUM \ -v 60 \ -2 \ --keyUsage digitalSignature,nonRepudiation,certSigning \ --nsCertType sslCA,smimeCA,objectSigningCA \ -i /root/ipa.csr \ -o /root/ipa.crt \ -f mypass1 \ -a certutil -L -d . -n "RootCA" -a >> /root/ipacacert.asc 4. Finish IPA install cd /root ipa-server-install --setup-dns --forwarder=192.168.122.1 \ -r EXAMPLE.TEST -a Secret123 -p Secret123 \ --external-cert-file=/root/ipa.crt \ --external-cert-file=/root/ipacacert.asc -U 5. Walk time forward with date command while making sure certs expire date <soonest_expiration_minus_4_weeks> getcert list | egrep "status|expires|Request|subject|ca-error" 6. When you get within 4 weeks of CA expiring, check /var/log/messages for message grep "IPA CA certificate is about to expire, use ipa-cacert-manage to renew it" /var/log/messages Actual results: no warning seen in log Expected results: Should see: "IPA CA certificate is about to expire, use ipa-cacert-manage to renew it" Additional info:
This is a regression caused by the fix for #4629.
Requires by downstream release (RHEL), bumping priority.
master:
ipa-4-1:
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1.3
Login to comment on this ticket.