The cert revokation logic for service and host certificates is inefficient and slow. When IPA deletes a host, it revokes all certs for the host as well as all certificates for all services of the removed host. For each service and host revokation, the command retrieves all from Dogtag. This can take very long in a setup with a couple of hundred thousand certs and a couple of services on each host. See https://bugzilla.redhat.com/show_bug.cgi?id=1658280
Internally service_del uses cert_find(service=principal) to find all certificates that are associated with the service. cert_find runs three different queries: cert_search, ca_search, and ldap_search.
For cert_find() of services, only ldap_search is relevant. It uses an efficient query with an LDAP filter "(&(&(objectClass=krbprincipal)(objectClass=krbprincipalaux)(objectClass=krbticketpolicyaux)(objectClass=ipaobject)(objectClass=ipaservice)(objectClass=pkiuser))(krbPrincipalName=...)(userCertificate=*))" attrs="userCertificate" to find the service certs.
cert_find()
"(&(&(objectClass=krbprincipal)(objectClass=krbprincipalaux)(objectClass=krbticketpolicyaux)(objectClass=ipaobject)(objectClass=ipaservice)(objectClass=pkiuser))(krbPrincipalName=...)(userCertificate=*))" attrs="userCertificate"
However the cert_find() executes the ca_search subquery first. It uses ra.find() method fetches information for all certs from Dogtag. There is no filtering by hostname or service. For example an ipa service-del call Dogtag's XML-RCP endpoint /ca/rest/certs/search?size=2147483647 with POST request
<CertSearchRequest> <serialNumberRangeInUse>true</serialNumberRangeInUse> <subjectInUse>false</subjectInUse> <matchExactly>false</matchExactly> <revokedByInUse>false</revokedByInUse> <revokedOnInUse>false</revokedOnInUse> <revocationReasonInUse>false</revocationReasonInUse> <issuedByInUse>false</issuedByInUse> <issuedOnInUse>false</issuedOnInUse> <validNotBeforeInUse>false</validNotBeforeInUse> <validNotAfterInUse>false</validNotAfterInUse> <validityLengthInUse>false</validityLengthInUse> <certTypeInUse>false</certTypeInUse> </CertSearchRequest>
IPA runs /ca/rest/certs/search for each service entry and the host
/ca/rest/certs/search
The service and host revokation cases should be optimized and not require a cert search
4.7.2
The host and service certs are stored in LDAP inside the host and service entry. There is no need to search CA. A more efficient implementation could look like this:
cacn
Metadata Update from @cheimes: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1658280
@gparente proposed another optimization. He suggested to filter out revoked certs. However cert-find does not yet support filtering for non-revoked certs, e.g. ipa cert-find --revoked=false.
ipa cert-find --revoked=false
master:
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1658280, https://bugzilla.redhat.com/show_bug.cgi?id=1669012 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1658280)
Issue linked to Bugzilla: Bug 1669012
Metadata Update from @cheimes: - Issue set to the milestone: FreeIPA 4.6 (was: 0.0 NEEDS_TRIAGE)
ipa-4-6:
ipa-4-7:
The workaround has landed in 4.6, 4.7, and master. Since it's a workaround, I'm leaving this ticket open.
ipa-4-9:
Login to comment on this ticket.