freeipa

Clone
Source Code
GIT

#4092 Certificate renewal does not start CA on Dogtag 10 clones
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

This is a follow up to #4064. When testing CA renewal on a clone, I found out it does not start CA back after a certificate was renewed:

# getcert resubmit -i 20140106205541
Resubmitting "20140106205541" to "dogtag-ipa-retrieve-agent-submit".

# getcert list -i 20140106205541
Number of certificates and requests being tracked: 7.
Request ID '20140106205541':
    status: MONITORING
...
# systemctl status pki-tomcatd@pki-tomcat.service
pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled)
   Active: inactive (dead) since Mon 2014-01-06 16:27:31 EST; 27s ago
  Process: 13802 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS)
  Process: 13523 ExecStart=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
 Main PID: 13689 (code=exited, status=143)

Jan 06 16:25:57 vm-057.idm.lab.bos.redhat.com systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Jan 06 16:26:02 vm-057.idm.lab.bos.redhat.com systemd[1]: Started PKI Tomcat Server pki-tomcat.
Jan 06 16:27:30 vm-057.idm.lab.bos.redhat.com systemd[1]: Stopping PKI Tomcat Server pki-tomcat...
Jan 06 16:27:31 vm-057.idm.lab.bos.redhat.com systemd[1]: Stopped PKI Tomcat Server pki-tomcat.

I found out that the issue was in broken restart script:

# /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca"
Traceback (most recent call last):
  File "/usr/lib64/ipa/certmonger/restart_pkicad", line 42, in <module>
    if ipaservices.knownservices.pki_cad.is_running(dogtag_instance):
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 169, in __getattr__
    raise AttributeError('no magic attribute %r' % name)
AttributeError: no magic attribute 'pki_cad'

I only reproduced it on Dogtag10-based environments.

Reproducer:

  • Install IPA server
  • Install IPA replica with CA

  • On IPA server, resubmit some of the CA subsystem certificates, for example audit cert:

    getcert resubmit -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca'

  • On IPA server, wait until the certificate is generated and status is back to MONITORING with:

    getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca'

  • On IPA replica we will try to force renewal of this certificate. Run:

    getcert resubmit -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca'

  • On IPA replica, wait until the certificate is renewed and status is back to MONITORING with:

    getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca'

  • The new certificate should be now updated, see

    certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'auditSigningCert cert-pki-ca'

  • PKI service should be running (was not before the patch)

Patch freeipa-mkosek-444-pki-service-restart-after-ca-renewal-failed.patch sent for review

master: 911f5e9[[BR]]
ipa-3-3: edccf59

Accidental file permission change introduced by previous patch was fixed:

master: 554d43d[[BR]]
ipa-3-3: 2273ff1

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.3.x - 2014/01 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Certificate management
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1040018
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.