#8644 ipa-certupdate drops profile from the caSigningCert tracking
Closed: fixed 3 years ago by frenaud. Opened 3 years ago by rcritten.

Issue

ipa-certupdate is modifying the certmonger tracking by dropping the profile from the 'caSigningCert cert-pki-ca' certmonger configuration.

Steps to Reproduce

  1. ipa-server-install <options, I included dns>
  2. ipa-healthcheck <should be zero issues>
  3. ipa-certupdate
  4. ipa-healthcheck <fails with below>

[
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "06fc99e8-037c-49ed-bd97-9703c82e1b04",
"when": "20210104205952Z",
"duration": "0.287840",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert",
"msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "f6af4114-bb3e-4cb4-a79d-2dc3b4856583",
"when": "20210104205953Z",
"duration": "0.401806",
"kw": {
"key": "20210104201139",
"msg": "certmonger tracking request {key} found and is not expected on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "2e5b118b-9a5c-4bdf-8c1f-c5337aa3c292",
"when": "20210104205953Z",
"duration": "0.309905",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
}
]

Running ipa-server-upgrade fixes the tracking.

Version/Release/Distribution

Reported initially on freeipa-users and followed up on irc. Seen on HREL 8.3. (ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64) and reproduced with ipa master.


Metadata Update from @rcritten:
- Issue assigned to rcritten

3 years ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1912845

3 years ago

master:

  • 53f4fd9 Don't change the CA profile when modifying request in ipa_certupdate
  • 8e9fecd ipatests: test that no errors are reported after ipa-certupdate

ipa-4-9:

  • 10ba43a Don't change the CA profile when modifying request in ipa_certupdate
  • ad1764a ipatests: test that no errors are reported after ipa-certupdate

ipa-4-8:

  • f2fecbd Don't change the CA profile when modifying request in ipa_certupdate
  • 42bdcfb ipatests: test that no errors are reported after ipa-certupdate

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata Update from @abbra:
- Custom field changelog adjusted to ipa-certupdate tool now honors CA profile specified in the certificate request it tries to update

3 years ago

Login to comment on this ticket.

Metadata