ipa-cacert-manage renew failed with validity out of range
Steps to Reproduce:
1.ipa server installed 2.manually renew CA cert
Actual results:
[root@amd-pike-05 ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20151103191745': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2017-10-23 18:17:22 UTC Request ID '20151103191746': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2017-10-23 18:17:20 UTC Request ID '20151103191747': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2017-10-23 18:17:21 UTC Request ID '20151103191748': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2035-11-03 19:17:17 UTC Request ID '20151103191749': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2017-10-23 18:17:42 UTC Request ID '20151103191750': status: MONITORING subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST expires: 2017-10-23 18:17:21 UTC Request ID '20151103191801': status: MONITORING subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST expires: 2017-11-03 18:18:01 UTC Request ID '20151103191823': status: MONITORING subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST expires: 2017-11-03 18:18:23 UTC [root@amd-pike-05 ~]# ipa-cacert-manage renew Renewing CA certificate, please wait Error resubmitting certmonger request '20151103191748', please check the request manually [root@amd-pike-05 ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20151103191745': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2017-10-23 18:17:22 UTC Request ID '20151103191746': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2017-10-23 18:17:20 UTC Request ID '20151103191747': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2017-10-23 18:17:21 UTC Request ID '20151103191748': status: MONITORING ca-error: Server at "http://amd-pike-05.testrelm.test:8080/ca/ee/ca/profileSubmit" replied: Request Rejected - {0} subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2035-11-03 19:17:17 UTC Request ID '20151103191749': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2017-10-23 18:17:42 UTC Request ID '20151103191750': status: MONITORING subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST expires: 2017-10-23 18:17:21 UTC Request ID '20151103191801': status: MONITORING subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST expires: 2017-11-03 18:18:01 UTC Request ID '20151103191823': status: MONITORING subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST expires: 2017-11-03 18:18:23 UTC [root@amd-pike-05 ~]# less /var/log/pki/pki-tomcat/ca/debug . . . [03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: validate start [03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: not before: Tue Nov 03 14:47:33 EST 2015 [03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: not after: Sat Nov 03 15:47:33 EDT 2035 [03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: range: 7305 [03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: range unit: day [03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: limit: Sat Nov 03 14:47:33 EDT 2035 [03/Nov/2015:14:47:33][http-bio-8080-exec-2]: CertRequestSubmitter: submit Validity Out of Range: Sat Nov 03 15:47:33 EDT 2035 is after Sat Nov 03 14:47:33 EDT 2035 [03/Nov/2015:14:47:33][http-bio-8080-exec-2]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$NonRoleUser$][Outcome=Fa ilure][ReqID=11][InfoName=rejectReason][InfoValue=Request Rejected - Validity Out of Range: Sat Nov 03 15:47:33 EDT 2035 is after Sat Nov 03 14:47:33 EDT 2035] certificate request processed
Expected results:
CA cert gets renewed sucessfully
Per discussions in the Dogtag 10.3 Triage meeting of 01/06/2016: priority medium
This is already fixed in ticket #1682.
Metadata Update from @xdong: - Issue assigned to edewata - Issue set to the milestone: 10.3.0
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2279
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.