Issue #1721: ipa-cacert-manage renew failed with validity out of range - dogtagpki

dogtagpki

#1721 ipa-cacert-manage renew failed with validity out of range

Closed: Duplicate None Opened 8 years ago by xdong.

ipa-cacert-manage renew failed with validity out of range

Steps to Reproduce:

1.ipa server installed
2.manually renew CA cert

Actual results:

[root@amd-pike-05 ~]# getcert list | egrep
"status|expires|Request|subject|ca-error"
Request ID '20151103191745':
        status: MONITORING
        subject: CN=CA Audit,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:22 UTC
Request ID '20151103191746':
        status: MONITORING
        subject: CN=OCSP Subsystem,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:20 UTC
Request ID '20151103191747':
        status: MONITORING
        subject: CN=CA Subsystem,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191748':
        status: MONITORING
        subject: CN=Certificate Authority,O=TESTRELM.TEST
        expires: 2035-11-03 19:17:17 UTC
Request ID '20151103191749':
        status: MONITORING
        subject: CN=IPA RA,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:42 UTC
Request ID '20151103191750':
        status: MONITORING
        subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191801':
        status: MONITORING
        subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
        expires: 2017-11-03 18:18:01 UTC
Request ID '20151103191823':
        status: MONITORING
        subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
        expires: 2017-11-03 18:18:23 UTC
[root@amd-pike-05 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20151103191748', please check the
request manually

[root@amd-pike-05 ~]# getcert list | egrep
"status|expires|Request|subject|ca-error"
Request ID '20151103191745':
        status: MONITORING
        subject: CN=CA Audit,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:22 UTC
Request ID '20151103191746':
        status: MONITORING
        subject: CN=OCSP Subsystem,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:20 UTC
Request ID '20151103191747':
        status: MONITORING
        subject: CN=CA Subsystem,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191748':
        status: MONITORING
        ca-error: Server at
"http://amd-pike-05.testrelm.test:8080/ca/ee/ca/profileSubmit" replied: Request
Rejected - {0}
        subject: CN=Certificate Authority,O=TESTRELM.TEST
        expires: 2035-11-03 19:17:17 UTC
Request ID '20151103191749':
        status: MONITORING
        subject: CN=IPA RA,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:42 UTC
Request ID '20151103191750':
        status: MONITORING
        subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
        expires: 2017-10-23 18:17:21 UTC
Request ID '20151103191801':
        status: MONITORING
        subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
        expires: 2017-11-03 18:18:01 UTC
Request ID '20151103191823':
        status: MONITORING
        subject: CN=amd-pike-05.testrelm.test,O=TESTRELM.TEST
        expires: 2017-11-03 18:18:23 UTC

[root@amd-pike-05 ~]# less /var/log/pki/pki-tomcat/ca/debug
.
.
.

[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: validate
start
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: not before:
Tue Nov 03 14:47:33 EST 2015
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: not after:
Sat Nov 03 15:47:33 EDT 2035
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: range: 7305
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: range unit:
day
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: ValidityConstraint: limit: Sat
Nov 03 14:47:33 EDT 2035
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: CertRequestSubmitter: submit
Validity Out of Range: Sat Nov 03 15:47:33 EDT 2035 is after Sat Nov 03
14:47:33 EDT 2035
[03/Nov/2015:14:47:33][http-bio-8080-exec-2]: SignedAuditEventFactory: create()
message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$NonRoleUser$][Outcome=Fa
ilure][ReqID=11][InfoName=rejectReason][InfoValue=Request Rejected - Validity
Out of Range: Sat Nov 03 15:47:33 EDT 2035 is after Sat Nov 03 14:47:33 EDT
2035] certificate request processed

Expected results:

CA cert gets renewed sucessfully

mharmsen commented 8 years ago

Per discussions in the Dogtag 10.3 Triage meeting of 01/06/2016: priority medium

edewata commented 8 years ago

This is already fixed in ticket #1682.

Metadata Update from @xdong:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.0

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2279

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

edewata

Tags

None

Blocking

None

Depending on

None

Priority

minor

Milestone

10.3.0

lowhangingfruit

None

reporter

None

rhbz

None

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

Community

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

General

proposedmilestone

None

dogtagpki

Source Code

#1721 ipa-cacert-manage renew failed with validity out of range Closed: Duplicate None Opened 8 years ago by xdong.

Metadata

#1721 ipa-cacert-manage renew failed with validity out of range

Closed: Duplicate None Opened 8 years ago by xdong.