Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1166931
Description of problem: Automatic CA Cert renewal for self signed IPA is hanging in a submitting state. [root@vm4 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' Number of certificates and requests being tracked: 8. Request ID '20141122001822': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='358974620032' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.TEST subject: CN=Certificate Authority,O=EXAMPLE.TEST expires: 2034-11-22 00:17:49 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes I walked the time forward to within 6 days of CA expiration and it goes through to this point. But, certmonger is trying repeatedly to submit and is never getting passed this state. Version-Release number of selected component (if applicable): ipa-server-4.1.0-7.el7.x86_64 certmonger-0.75.14-2.el7.x86_64 How reproducible: Steps to Reproduce: 1. Install IPA Master 2. getcert list | grep expires 3. Change date to closest to let certs expire as expected 4. getcert list 5. Check that certs submit and renew 6. getcert resubmit -i <id> for any certs that don't submit 7. repeat until all certs in MONITORING state 8. change date forward again and repeat until you reach CA cert expiration Actual results: stuck in submitting state shown above. I don't see it go to monitoring state. Expected results: cert should change from submitting to monitoring. Additional info: [root@vm4 ~]# tail -10 /var/log/messages Nov 16 01:42:09 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 16 01:42:09 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5 Nov 16 01:42:10 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 16 01:42:10 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5 Nov 16 01:42:12 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 16 01:42:13 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5 Nov 16 01:42:14 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 16 01:42:14 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5 Nov 16 01:42:15 vm4 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 16 01:42:15 vm4 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 5
master:
ipa-4-1:
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1.3
Login to comment on this ticket.