Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1788907
Description of problem: When the CA subsystem below associated certs renewal is due: ~~~ 'subsystemCert cert-pki-ca' 'ocspSigningCert cert-pki-ca' 'auditSigningCert cert-pki-ca' '/var/lib/ipa/ra-agent.pem' ~~~ A non-renewal master CA might submit a renewal request before the renewal master actually updating the certs. This is expected. But, if certmonger on this node is stopped/interrupted for any reason while the resubmit request is in "CA_WORKING" state it will not be able to track changes to this cert anymore. Version-Release number of selected component (if applicable): certmonger-0.78.4-11.el7.x86_64 ipa-server-4.6.5-11.el7_7.3.x86_64 How reproducible: Always Steps to Reproduce: 1- Install an IPA master + one or more CA replicas, self signed certs. 2- On a non-renewal master resubmit a cert request: # getcert resubmit -f /var/lib/ipa/ra-agent.pem 3- while the submission is in "CA_WORKING" state, stop then start certmonger 4- Now we'll get invalid cookie state for "ra-agent.pem" # getcert list -f /var/lib/ipa/ra-agent.pem [...] ca-error: Invalid cookie: u'' [...] 5- This CA will not pickup any changes to this cert anymore. Actual results: Newly generated certs by the renewal master are not picked by affected CAs. Breaking operations related to certs. For example, ipa host-add/host-del Expected results: Certmonger track certs in between reboots/interruptions and while in "CA_WORKING" state.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1788907
Metadata Update from @rcritten: - Issue assigned to rcritten
master:
ipa-4-8:
ipa-4-7:
ipa-4-6:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.