Many expired certificates are listed as VALID
ipa cert-find shows:
Issuing CA: ipa Subject: CN=rufous.cora.nwra.com,O=NWRA.COM Issuer: CN=Certificate Authority,O=NWRA.COM Not Before: Fri Mar 01 17:45:42 2019 UTC Not After: Mon Mar 01 17:45:42 2021 UTC Serial number: 96 Serial number (hex): 0x60 Status: VALID Revoked: False
Issuing CA: ipa Subject: CN=rufous.cora.nwra.com,O=NWRA.COM Issuer: CN=Certificate Authority,O=NWRA.COM Not Before: Fri Mar 01 17:45:42 2019 UTC Not After: Mon Mar 01 17:45:42 2021 UTC Serial number: 96 Serial number (hex): 0x60 Status: EXPIRED Revoked: False
ipa-server-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64 ipa-client-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64 389-ds-base-1.4.3.8-6.module_el8.3.0+604+ab7bf9cc.x86_64 pki-ca-10.9.4-3.module_el8.3.0+729+097af0d5.noarch krb5-server-1.18.2-5.el8.x86_64
Some earlier certs do show as EXPIRED:
Issuing CA: ipa Subject: CN=trident.nwra.com,O=NWRA.COM Issuer: CN=Certificate Authority,O=NWRA.COM Not Before: Wed Feb 07 15:26:45 2018 UTC Not After: Sat Feb 08 15:26:45 2020 UTC Serial number: 63 Serial number (hex): 0x3F Status: EXPIRED Revoked: False
but nothing later than that. Is EXPIRED no longer a thing?
Hi @orion the code seems to indicate that the "Status" is taken from what is returned by the Certificate Server (https://pagure.io/freeipa/blob/a718e4a4ab11ab1949bb45c8f15054bd7f2427ab/f/ipaserver/plugins/dogtag.py#_1980).
What does a ldapsearch looking for the certStatus attribute return?
# ldapsearch -D cn=directory\ manager -W -b cn=<id>,ou=certificateRepository,ou=ca,o=ipaca certStatus
dn: cn=96,ou=certificateRepository,ou=ca,o=ipaca certStatus: VALID
There does now appear to be 2 certificates for that machine:
# 96, certificateRepository, ca, ipaca dn: cn=96,ou=certificateRepository,ou=ca,o=ipaca cn: 96 issuedBy: ipara autoRenew: ENABLED certStatus: VALID dateOfModify: 20190301164542Z dateOfCreate: 20190301164542Z signingAlgorithmId: 1.2.840.113549.1.1.11 algorithmId: 1.2.840.113549.1.1.1 version: 2 userCertificate;binary:: MIIEoTCCA4mgAwIBAgIBYDANBgkqhkiG9w0BAQsFADAzMREwDwYDV QQKDAhOV1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDMwMjAwND U0MloXDTIxMDMwMjAwNDU0MlowMjERMA8GA1UECgwITldSQS5DT00xHTAbBgNVBAMMFHJ1Zm91cy5 jb3JhLm53cmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopG13PPL7GAnexr0 0pKoSY1WVu1EYHUClGWAUuU0qkm3VUK9NrIlkd64+tAKxhpJmi1XdAQb6Ul4mgzjfufcDW6LKvCiZ 60Deo9dkxm8vUvmT8jN7YuBEPPhqQUBpMnwmFAYSqW0IPyVE9IuMJVHs8inaqLvHQz83AVk12SHxF Ezgti1ng0waH6pMoJVXKNROy5DKxan2sYqEjySgbG6bM2souixh36kIUOjAz4fA81wN+31XBTydhG ZWw13C2Wheh5wVrsGtPP7aVf/vZ3D36qQiwoi4QUTL2bRq3iNjOGvaDytokg+zXOHtIX1KV/IzFQm go8cDDJVKltNVjlYvQIDAQABo4IBvzCCAbswHwYDVR0jBBgwFoAUSa/zqasdpCGP322DyiDR0jqws 1YwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLm53cmEuY29tL2NhL2 9jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBzBgNVHR8 EbDBqMGigMKAuhixodHRwOi8vaXBhLWNhLm53cmEuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0 pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVH Q4EFgQU/zkjpahmL8NQFFa/Nmc2y4hZKOkwgZgGA1UdEQSBkDCBjYIUcnVmb3VzLmNvcmEubndyYS 5jb22gMgYKKwYBBAGCNxQCA6AkDCJob3N0L3J1Zm91cy5jb3JhLm53cmEuY29tQE5XUkEuQ09NoEE GBisGAQUCAqA3MDWgChsITldSQS5DT02hJzAloAMCAQGhHjAcGwRob3N0GxRydWZvdXMuY29yYS5u d3JhLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAfz6LTO7l5h+yyAGobBLTS05KU+YT7F2tiohU3ZkGP hBkyt/EIVDWmrCAYVLe40yDvgUCm0xc+Vkf2xnLF4OvNr2obGS31N+IFgmCRM0RG6yuCqxgXMMgUE HPyBxF2FDF2tBx2LnTMnEnvFE3iCGr88evukuIyDasRn6V5T5gOxwawlisCVKBQ9RJalgfkBDc2TG 1r3WD+vMbHqXmWbhu+b/ojLTJJhGuDoT2dJwbVulU05PUeW5YXLDsnh6gfOoEnks+Z+MCzVgmFnSt 7wHOmKElRXSX43VSm+ApaNqyWuQ8fgFNkwNT2F1x8RmKcle0QloFcOJKzpQ+mLhWwKAl8w== extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.14 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.17 extension: 2.5.29.31 extension: 2.5.29.15 publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopG13PPL7GAnexr00p KoSY1WVu1EYHUClGWAUuU0qkm3VUK9NrIlkd64+tAKxhpJmi1XdAQb6Ul4mgzjfufcDW6LKvCiZ60 Deo9dkxm8vUvmT8jN7YuBEPPhqQUBpMnwmFAYSqW0IPyVE9IuMJVHs8inaqLvHQz83AVk12SHxFEz gti1ng0waH6pMoJVXKNROy5DKxan2sYqEjySgbG6bM2souixh36kIUOjAz4fA81wN+31XBTydhGZW w13C2Wheh5wVrsGtPP7aVf/vZ3D36qQiwoi4QUTL2bRq3iNjOGvaDytokg+zXOHtIX1KV/IzFQmgo 8cDDJVKltNVjlYvQIDAQAB issuerName: CN=Certificate Authority,O=NWRA.COM subjectName: CN=rufous.cora.nwra.com,O=NWRA.COM duration: 1163158400000 notAfter: 20210301164542Z notBefore: 20190301164542Z metaInfo: requestId:97 metaInfo: profileId:caIPAserviceCert serialno: 0296 objectClass: top objectClass: certificateRecord # 536805401, certificateRepository, ca, ipaca dn: cn=536805401,ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: certificateRecord serialno: 09536805401 metaInfo: requestId:19990026 metaInfo: profileId:caIPAserviceCert notBefore: 20210302170118Z notAfter: 20230303170118Z duration: 1163158400000 subjectName: CN=rufous.cora.nwra.com,O=NWRA.COM issuerName: CN=Certificate Authority,O=NWRA.COM publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArzRRPe0nXibm3XKpLG SZVELkWzzmlEAt6tQGvuT6g20216vbEEk2bSDrMdhGa98g3j/gjC4FlpjiaTDj0yZMjYoqr/ZWeod yGiVp4TEkOeG4cn4k9uwuWS+cm0a5WF/WQEhSf1P+kGW3Jsqkpehu7+XcsV0DH0QVc9eJrceQAM4t ny4brLiK4hbcqHSYDMr2025nLnRxB5LpE0N/htfX82aIDeiWbHWrMSHDAuWmt0+T/OGAd3DpwF03b +h+3i9QMF6Qo1iJ4kzJVxhnXLGV1kIqv4qEzijarESuZbB2Y8zhp6eusNW0lPTLv6CH/wxf/73R+q jBlKThNgrRrLmtTwIDAQAB extension: 2.5.29.35 extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.37 extension: 2.5.29.31 extension: 2.5.29.14 extension: 2.5.29.17 extension: 2.5.29.15 userCertificate;binary:: MIIEpDCCA4ygAwIBAgIEH/8AGTANBgkqhkiG9w0BAQsFADAzMREwD wYDVQQKDAhOV1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIxMDMwMz AwMDExOFoXDTIzMDMwNDAwMDExOFowMjERMA8GA1UECgwITldSQS5DT00xHTAbBgNVBAMMFHJ1Zm9 1cy5jb3JhLm53cmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArzRRPe0nXibm 3XKpLGSZVELkWzzmlEAt6tQGvuT6g20216vbEEk2bSDrMdhGa98g3j/gjC4FlpjiaTDj0yZMjYoqr /ZWeodyGiVp4TEkOeG4cn4k9uwuWS+cm0a5WF/WQEhSf1P+kGW3Jsqkpehu7+XcsV0DH0QVc9eJrc eQAM4tny4brLiK4hbcqHSYDMr2025nLnRxB5LpE0N/htfX82aIDeiWbHWrMSHDAuWmt0+T/OGAd3D pwF03b+h+3i9QMF6Qo1iJ4kzJVxhnXLGV1kIqv4qEzijarESuZbB2Y8zhp6eusNW0lPTLv6CH/wxf /73R+qjBlKThNgrRrLmtTwIDAQABo4IBvzCCAbswHwYDVR0jBBgwFoAUSa/zqasdpCGP322DyiDR0 jqws1YwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLm53cmEuY29tL2 NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBzBgN VHR8EbDBqMGigMKAuhixodHRwOi8vaXBhLWNhLm53cmEuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJp bqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdB gNVHQ4EFgQUyyltJvb7PD5gBSttwEHhyBIstLUwgZgGA1UdEQSBkDCBjYIUcnVmb3VzLmNvcmEubn dyYS5jb22gMgYKKwYBBAGCNxQCA6AkDCJob3N0L3J1Zm91cy5jb3JhLm53cmEuY29tQE5XUkEuQ09 NoEEGBisGAQUCAqA3MDWgChsITldSQS5DT02hJzAloAMCAQGhHjAcGwRob3N0GxRydWZvdXMuY29y YS5ud3JhLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAIyCahn+7YFYYELsCbKD6Bi5qZLtTFGYoTB/uv MpQqVeVHZHp8gBhQLE3vwHM83lX6ml2QGbr43Xa0rSSgnoNybnOIU5Y/LmwbVdeLNw7Swuu1eKf9r 85W1MUKIiM/GA5JgiEjMDYCebvtAAGylQ3Nk98kQUX+Iw7JJy+sDYkhvj0Ur328pI5BGaHsHgtRRY TMFVzncbvL01+h5BbOOcITKKdwfLS3i1aTm0pmOqCQzjGGHHkIkUcwViKQFVY8vjaRSg2OnnfCpA4 /z3vz2mFu81gT3x+QEtnbFMqlVFeyZdNxD/0mVV0+3LoMAZzy2oENfzvheXXOkdWWI/2BUBbKA== version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20210302170118Z dateOfModify: 20210302170118Z certStatus: VALID autoRenew: ENABLED issuedBy: ipara cn: 536805401
Not sure if that affects anything. Is there some process that scans the ldap database and marks certs as expired?
@edewata can you assist with this?
To my understanding the server does update the cert status periodically. This is done by the CertStatusUpdateTask class: https://github.com/dogtagpki/pki/blob/v10.10/base/server/src/com/netscape/cmscore/dbs/CertificateRepository.java#L2677
So if it's not configured correctly, or something interrupted the thread, it might stop working.
I just added this page to describe the current behavior: https://github.com/dogtagpki/pki/wiki/Configuring-Certificate-Status-Update-Task Is the server a clone? It might need to be enabled manually.
Note: I wasn't the original writer of the code. I think instead of periodically updating the database it would be better not to store the cert status in the database, then let the client evaluate the cert validity based on the client's current time.
Where would this cs.cfg file be located? I can't find one on any of my IPA servers. At this point all of our IPA servers are replicas.
It should be in /etc/pki/pki-tomcat/ca/CS.cfg. I think you should only enable this on one of the servers.
/etc/pki/pki-tomcat/ca/CS.cfg
Ah, I missed the capitalization. It was disabled on all my servers - which seems fairly easy to have happen as servers are upgraded and replaced.
Re-enabled it on one and restarted the tomcat server - now the certs show as expired. Thanks.
Created https://github.com/freeipa/freeipa-healthcheck/issues/192 to check using freeipa-healthcheck.
We should probably track this along with CRL generator and renewal master, at least in the upstream docs.
@frenaud what do you think about tying this with the CRL generator?
We can add a new function to ipaserver/install/cainstance.py to enable/disable this per Endi's instructions and execute it within ipa-crlgen-manage.
@rcritten it can either be tied with CA renewal master or CRL generation, and I agree it makes more sense with the CRL generation. We will also need to update the man page of ipa-crlgen-manage (I see you already updated the wiki page https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master, thanks for that!) and the Admin guide.
Login to comment on this ticket.