Certmonger monitors and auto-renews NSSDB at {{{/var/lib/ipa/radb}}} but it does not update {{{/var/lib/ipa/radb/kra-agent.pem}}} automatically. The file must be updated after certmonger has renewed the KRA agent pem. The certificate has an expiration time of 2 years.
Request ID '20170215101245': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/ipa/radb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/var/lib/ipa/radb/pwdfile.txt' certificate: type=NSSDB,location='/var/lib/ipa/radb',nickname='ipaCert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.EXAMPLE subject: CN=IPA RA,O=IPA.EXAMPLE expires: 2019-02-03 15:26:21 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Honza told me about existing scripts. FreeIPA comes with a pre and post script for RA certs. Neither the pre nor the post script are configured (pre-save command and post-save command are empty).
/usr/libexec/ipa/certmonger/renew_ra_cert /usr/libexec/ipa/certmonger/renew_ra_cert_pre
I just found the cause of it, it's an issue during upgrade caused by privilege separation patches (see ipaserver/install/plugins/update_ra_cert_store.py, line about 69). Please do not fix it as it will be replaced in https://github.com/freeipa/freeipa/pull/367 anyway.
Metadata Update from @cheimes: - Issue assigned to jcholast - Issue set to the milestone: 0.0 NEEDS_TRIAGE
master:
Metadata Update from @jcholast: - Custom field affects_doc reset - Custom field component reset - Custom field type reset - Issue close_status updated to: None - Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @jcholast: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.5 - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.