Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1277696
Description of problem: IPA certificate auto renewal fail with "Invalid Credential" when jumping time forward upon renewal. Version-Release number of selected component (if applicable): ipa-server-4.2.0-15 pki-ca-10.2.5-6 certmonger-0.78.4-1 How reproducible: Always Steps to Reproduce: 1.ipa server installed 2.Check certs' expirations 3.Change date to within 4 weeks of sonnest to expire date 4.Wait until certs get renewed 5.Repeat multiple times. Actual results: Renewal fail with "Invalid Credential" and become unreachable Expected results: Auto renew successfully Additional info: . . . [root@idm-qe-02 ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20151102005609': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2029-07-21 03:54:57 UTC Request ID '20151102005610': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2029-07-21 03:54:07 UTC Request ID '20151102005611': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2029-07-21 03:53:47 UTC Request ID '20151102005612': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2035-11-02 00:55:48 UTC Request ID '20151102005613': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2029-07-21 03:53:36 UTC Request ID '20151102005614': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2029-07-21 03:53:45 UTC Request ID '20151102005622': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2029-08-01 03:53:26 UTC Request ID '20151102005640': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2029-08-01 03:53:16 UTC [root@idm-qe-02 ~]# date Sat Jul 31 23:58:16 EDT 2027 [root@idm-qe-02 ~]# date -s "715 days" Sun Jul 15 23:58:24 EDT 2029 [root@idm-qe-02 ~]# sleep 180 [root@idm-qe-02 ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20151102005609': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2031-07-06 04:00:01 UTC Request ID '20151102005610': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2031-07-06 03:59:33 UTC Request ID '20151102005611': status: MONITORING ca-error: Server at "https://idm-qe-02.testrelm.test:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2029-07-21 03:53:47 UTC Request ID '20151102005612': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2035-11-02 00:55:48 UTC Request ID '20151102005613': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2031-07-06 03:59:52 UTC Request ID '20151102005614': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2031-07-06 03:59:00 UTC Request ID '20151102005622': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2031-07-17 03:58:51 UTC Request ID '20151102005640': status: MONITORING subject: CN=idm-qe-02.testrelm.test,O=TESTRELM.TEST expires: 2031-07-17 03:58:43 UTC . . . Attached full test output. Also a workaround knowledgebase: https://access.redhat.com/solutions/1490603
master:
ipa-4-2:
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.