#8702 ipa-cert-fix: False Positive Status for cert renewal.
Closed: fixed 2 years ago by abbra. Opened 3 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1780317

Description of problem:

[root@master ~]# getcert list|grep -e expire -e certificate:
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        expires: 2021-11-24 10:20:04 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2021-11-24 10:19:26 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2021-11-24 10:19:26 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2021-11-24 10:19:26 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2039-12-05 10:19:25 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2021-11-24 10:19:26 EST
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nic
kname='Server-Cert',token='NSS Certificate DB'
        expires: 2021-12-05 10:20:58 EST
        certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
        expires: 2021-12-05 10:21:24 EST
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        expires: 2021-12-05 10:21:38 EST


[root@master ~]# hwclock --set --date="2025-08-14 16:45:05"
[root@master ~]# hwclock --hctosys; date
Thu Aug 14 16:45:10 EDT 2025


[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
zRestarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful


[root@master ~]# date
Thu Aug 14 16:47:48 EDT 2025


[root@master ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@master ~]# ipa-cert-fix

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of FreeIPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed:

Dogtag sslserver certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  3
  Expires: 2021-11-24 15:19:26

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=TESTREALM.TEST
  Serial:  4
  Expires: 2021-11-24 15:19:26

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=TESTREALM.TEST
  Serial:  2
  Expires: 2021-11-24 15:19:26

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=TESTREALM.TEST
  Serial:  5
  Expires: 2021-11-24 15:19:26

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=TESTREALM.TEST
  Serial:  7
  Expires: 2021-11-24 15:20:04

IPA Apache HTTPS certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  9
  Expires: 2021-12-05 15:21:24

IPA LDAP certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  8
  Expires: 2021-12-05 15:20:58

IPA KDC certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  10
  Expires: 2021-12-05 15:21:38

Enter "yes" to proceed: yes
Proceeding.
Renewed Dogtag sslserver certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  15
  Expires: 2027-08-04 20:49:57

Renewed Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=TESTREALM.TEST
  Serial:  16
  Expires: 2027-08-04 20:49:58

Renewed Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=TESTREALM.TEST
  Serial:  17
  Expires: 2027-08-04 20:49:59

Renewed Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=TESTREALM.TEST
  Serial:  18
  Expires: 2027-08-04 20:49:59

Renewed IPA IPA RA certificate:
  Subject: CN=IPA RA,O=TESTREALM.TEST
  Serial:  19
  Expires: 2027-08-04 20:49:59

Renewed IPA Apache HTTPS certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  20
  Expires: 2027-08-15 20:50:00

Renewed IPA LDAP certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  21
  Expires: 2027-08-15 20:50:00

Renewed IPA KDC certificate:
  Subject: CN=master.testrealm.test,O=TESTREALM.TEST
  Serial:  22
  Expires: 2027-08-15 20:50:01

Becoming renewal master.
The ipa-cert-fix command was successful


[root@master ~]# getcert list|grep -e expire -e certificate:
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        expires: 2021-11-24 10:20:04 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2021-11-24 10:19:26 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2021-11-24 10:19:26 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2021-11-24 10:19:26 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2039-12-05 10:19:25 EST
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        expires: 2021-11-24 10:19:26 EST
        ca-error: Server at https://master.testrealm.test/ipa/xml failed
request, will retry: -504 (HTTP POST to URL
'https://master.testrealm.test/ipa/xml' failed.  libcurl failed even to execute
the HTTP transaction, explaining:  SSL certificate problem: certificate has
expired).
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-TESTREALM-TEST',nic
kname='Server-Cert',token='NSS Certificate DB'
        expires: 2021-12-05 10:20:58 EST
        ca-error: Server at https://master.testrealm.test/ipa/xml failed
request, will retry: -504 (HTTP POST to URL
'https://master.testrealm.test/ipa/xml' failed.  libcurl failed even to execute
the HTTP transaction, explaining:  SSL certificate problem: certificate has
expired).
        certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
        expires: 2021-12-05 10:21:24 EST
        ca-error: Server at https://master.testrealm.test/ipa/xml failed
request, will retry: -504 (HTTP POST to URL
'https://master.testrealm.test/ipa/xml' failed.  libcurl failed even to execute
the HTTP transaction, explaining:  SSL certificate problem: certificate has
expired).
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        expires: 2021-12-05 10:21:38 EST



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1780317

3 years ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

3 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud (was: rcritten)

2 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5825

2 years ago

master:

  • 5509e00 ipa-cert-fix man page: add note about certmonger renewal

ipa-4-9:

  • 06a445a ipa-cert-fix man page: add note about certmonger renewal

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata