Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1869605
Description of problem: My long-running FreeIPA public demo instance (upgraded to the newest Fedora from 2018) cannot update KRA certificates. They always end up with error "Server at "http://ipa.demo1.freeipa.org:8080/ca/ee/ca/profileSubmit" replied: Missing credential: sessionID" # getcert list -i 20190903113316 Number of certificates and requests being tracked: 11. Request ID '20190903113316': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG subject: CN=KRA Storage Certificate,O=DEMO1.FREEIPA.ORG expires: 2020-08-19 10:35:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caInternalAuthDRMstorageCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "storageCert cert-pki-kra" track: yes auto-renew: yes # getcert resubmit -i 20190903113316 # getcert list -i 20190903113316 Number of certificates and requests being tracked: 11. Request ID '20190903113316': status: MONITORING ca-error: Server at "http://ipa.demo1.freeipa.org:8080/ca/ee/ca/profileSubmit" replied: Missing credential: sessionID stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG subject: CN=KRA Storage Certificate,O=DEMO1.FREEIPA.ORG expires: 2020-08-19 10:35:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caInternalAuthDRMstorageCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "storageCert cert-pki-kra" track: yes auto-renew: yes Version-Release number of selected component (if applicable): freeipa-server-4.8.7-1.fc32.x86_64 pki-ca-10.9.0-0.4.fc32.noarch pki-kra-10.9.0-0.4.fc32.noarch certmonger-0.79.11-2.fc32.x86_64 How reproducible: Always Steps to Reproduce: 1. Check the status of renewed certificates with "getcert list" 2. Move the date or wait 1 week before KRA Transport/Storage Certificate expires 3. See if the certificate renews Actual results: Certificate does not renew Expected results: Certificate renews Additional info: I assume that the root cause is somewhere in updates of the certmonger tracking list.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1869605
Metadata Update from @rcritten: - Issue assigned to rcritten
CS is going to deliver a new profile for the audit signing certificate. The transport and storage certificates will use different, existing profiles.
The fix on the IPA side is to modify the expected profiles in krainstance.py and run ipa-server-upgrade to load the new profile into LDAP and re-generated the certmonger tracking requests.
The IPA diff is:
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance .py index a5f1694..2bcff3bc0 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -65,9 +65,9 @@ class KRAInstance(DogtagInstance): # use for that certificate. 'configure_renewal()' reads this # dict. The profile MUST be specified. tracking_reqs = { - 'auditSigningCert cert-pki-kra': 'caInternalAuthAuditSigningCert', - 'transportCert cert-pki-kra': 'caInternalAuthTransportCert', - 'storageCert cert-pki-kra': 'caInternalAuthDRMstorageCert', + 'auditSigningCert cert-pki-kra': 'caAuditSigningCert', + 'transportCert cert-pki-kra': 'caTransportCert', + 'storageCert cert-pki-kra': 'caStorageCert', }
def __init__(self, realm):
The new caAuditSigningCert profile was added in nightly build pki-ca-10.10.0-0.1.alpha1.20201014121037UTC.4f4e5a29.fc32.noarch
I've manually tested upgrades and fresh installs then forced renewal on all three certs and they were all successfully renewed.
https://github.com/freeipa/freeipa/pull/5199
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1869605, https://bugzilla.redhat.com/show_bug.cgi?id=1872603 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1869605)
Issue linked to Bugzilla: Bug 1872603
master:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1869605, https://bugzilla.redhat.com/show_bug.cgi?id=1872603, https://bugzilla.redhat.com/show_bug.cgi?id=1872604 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1869605, https://bugzilla.redhat.com/show_bug.cgi?id=1872603)
Issue linked to Bugzilla: Bug 1872604
ipa-4-8:
ipa-4-9:
The ticket can be closed as the fixes were backported to all the relevant branches (issue not present on ipa-4-6).
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.