I am testing CA Renewal using this:
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ca_renewal
I'm seeing a failure:
[root@f18-1 ~]# ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) in /var/log/messages: Sep 30 10:28:28 f18-1 systemd[1]: Started 389 Directory Server TESTRELM-COM.. Sep 30 10:28:28 f18-1 systemd[1]: Started 389 Directory Server PKI-IPA.. Sep 30 10:28:28 f18-1 renew_ra_cert: Updating agent entry failed: Can't contact LDAP server: Sep 30 10:28:29 f18-1 renew_ca_cert: Updating renewal certificate failed: Error initializing principal host/f18-1.testrelm.com@TESTRELM.COM in /etc/krb5.keytab: (-1765328324, 'Generic error (see e-text)')
As far as I can tell what happened is the ipaCert (the agent cert) was renewed successfully but we weren't able to bind to the dogtag LDAP instance to update the ou=People entry with the new certificate.
The description of the uid=ipara user still referenced the old serial number.
I was able to reproduce this by killing the PKI-IPA instance during the renewal.
The script can be re-run now but it isn't clear that you can do that. We should do two things:
- Have the script loop and try the server a few times in the hopes it will be back up soon. - If we can't perform an update then notify that the script can be safely re-run
I'm not sure whether I want to try to start the service or simply wait for it to come back up.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=869663
attachment freeipa-rcrit-1068-renewal.patch
master: 1c72617
ipa-3-0: 6c0ffe9
Metadata Update from @spoore: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
Log in to comment on this ticket.