There have been numerous customer cases concerning failures of, or incorrect renewal of Dogtag system certificates or IPA RA certificate. These certificates use serial-based renewal requests. The request refers to the serial number of the certificate to be renewed. The certificate record is looked up, and from there, the original request record. The details of that request are re-used to create a new certificate.
This has led to problems including:
We investigated whether the renewal procedure for these certificate can be changed to use regular enrolment requests instead of serial-based renewal requests, and concluded:
The scenario was tested by upgrading the deployment to with the changes above, and add profile to relevant tracking requests. I deleted the old OCSP certificate record, then renewed it via getcert-resubmit. Renewal succeeded.
We have agreed to proceed with this effort. A bit more work and testing is needed, in particular:
PR: https://github.com/freeipa/freeipa/pull/3316
master:
ipa-4-8:
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.