#8545 KRA Transport and Storage Certificates do not renew
Closed: fixed 4 months ago by frenaud. Opened 6 months ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1869605

Description of problem:
My long-running FreeIPA public demo instance (upgraded to the newest Fedora
from 2018) cannot update KRA certificates. They always end up with error
"Server at "http://ipa.demo1.freeipa.org:8080/ca/ee/ca/profileSubmit" replied:
Missing credential: sessionID"

# getcert list -i 20190903113316
Number of certificates and requests being tracked: 11.
Request ID '20190903113316':
        status: CA_UNREACHABLE
        ca-error: Internal error
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
        subject: CN=KRA Storage Certificate,O=DEMO1.FREEIPA.ORG
        expires: 2020-08-19 10:35:41 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-clientAuth
        profile: caInternalAuthDRMstorageCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"storageCert cert-pki-kra"
        track: yes
        auto-renew: yes

# getcert resubmit -i 20190903113316


# getcert list -i 20190903113316
Number of certificates and requests being tracked: 11.
Request ID '20190903113316':
        status: MONITORING
        ca-error: Server at
"http://ipa.demo1.freeipa.org:8080/ca/ee/ca/profileSubmit" replied: Missing
credential: sessionID
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
        subject: CN=KRA Storage Certificate,O=DEMO1.FREEIPA.ORG
        expires: 2020-08-19 10:35:41 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-clientAuth
        profile: caInternalAuthDRMstorageCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"storageCert cert-pki-kra"
        track: yes
        auto-renew: yes


Version-Release number of selected component (if applicable):
freeipa-server-4.8.7-1.fc32.x86_64
pki-ca-10.9.0-0.4.fc32.noarch
pki-kra-10.9.0-0.4.fc32.noarch
certmonger-0.79.11-2.fc32.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Check the status of renewed certificates with "getcert list"
2. Move the date or wait 1 week before KRA Transport/Storage Certificate
expires
3. See if the certificate renews

Actual results:
Certificate does not renew

Expected results:
Certificate renews

Additional info:
I assume that the root cause is somewhere in updates of the certmonger tracking
list.

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1869605

6 months ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

6 months ago

CS is going to deliver a new profile for the audit signing certificate. The transport and storage certificates will use different, existing profiles.

The fix on the IPA side is to modify the expected profiles in krainstance.py and run ipa-server-upgrade to load the new profile into LDAP and re-generated the certmonger tracking requests.

The IPA diff is:

diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance
.py
index a5f1694..2bcff3bc0 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -65,9 +65,9 @@ class KRAInstance(DogtagInstance):
# use for that certificate. 'configure_renewal()' reads this
# dict. The profile MUST be specified.
tracking_reqs = {
- 'auditSigningCert cert-pki-kra': 'caInternalAuthAuditSigningCert',
- 'transportCert cert-pki-kra': 'caInternalAuthTransportCert',
- 'storageCert cert-pki-kra': 'caInternalAuthDRMstorageCert',
+ 'auditSigningCert cert-pki-kra': 'caAuditSigningCert',
+ 'transportCert cert-pki-kra': 'caTransportCert',
+ 'storageCert cert-pki-kra': 'caStorageCert',
}

 def __init__(self, realm):

The new caAuditSigningCert profile was added in nightly build pki-ca-10.10.0-0.1.alpha1.20201014121037UTC.4f4e5a29.fc32.noarch

I've manually tested upgrades and fresh installs then forced renewal on all three certs and they were all successfully renewed.

master:

  • b691850 Change KRA profiles in certmonger tracking so they can renew
  • 0037b69 Test that the KRA profiles can renewal its three certificates
  • 6816de0 Require PKI 10.10+ for KRA profile and ACME support

ipa-4-8:

  • 69adf81 Change KRA profiles in certmonger tracking so they can renew
  • c3c577a Test that the KRA profiles can renewal its three certificates
  • c165901 Require PKI 10.10+ for KRA profile and ACME support

ipa-4-9:

  • a9e1c01 Change KRA profiles in certmonger tracking so they can renew
  • bd4771d Test that the KRA profiles can renewal its three certificates
  • 3e530e9 Require PKI 10.10+ for KRA profile and ACME support

The ticket can be closed as the fixes were backported to all the relevant branches (issue not present on ipa-4-6).

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.

Metadata