freeipa

Clone
Source Code
GIT

#8790 Expired certificates are listed as VALID instead of EXPIRED
Opened 3 years ago by orion. Modified 2 years ago

Open
Close issue as:
fixed wontfix worksforme duplicate insufficientinfo invalid

Issue

Many expired certificates are listed as VALID

Actual behavior

ipa cert-find shows:

  Issuing CA: ipa
  Subject: CN=rufous.cora.nwra.com,O=NWRA.COM
  Issuer: CN=Certificate Authority,O=NWRA.COM
  Not Before: Fri Mar 01 17:45:42 2019 UTC
  Not After: Mon Mar 01 17:45:42 2021 UTC
  Serial number: 96
  Serial number (hex): 0x60
  Status: VALID
  Revoked: False

Expected behavior

  Issuing CA: ipa
  Subject: CN=rufous.cora.nwra.com,O=NWRA.COM
  Issuer: CN=Certificate Authority,O=NWRA.COM
  Not Before: Fri Mar 01 17:45:42 2019 UTC
  Not After: Mon Mar 01 17:45:42 2021 UTC
  Serial number: 96
  Serial number (hex): 0x60
  Status: EXPIRED
  Revoked: False

Version/Release/Distribution

ipa-server-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64
ipa-client-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64
389-ds-base-1.4.3.8-6.module_el8.3.0+604+ab7bf9cc.x86_64
pki-ca-10.9.4-3.module_el8.3.0+729+097af0d5.noarch
krb5-server-1.18.2-5.el8.x86_64

Additional info:

Some earlier certs do show as EXPIRED:

  Issuing CA: ipa
  Subject: CN=trident.nwra.com,O=NWRA.COM
  Issuer: CN=Certificate Authority,O=NWRA.COM
  Not Before: Wed Feb 07 15:26:45 2018 UTC
  Not After: Sat Feb 08 15:26:45 2020 UTC
  Serial number: 63
  Serial number (hex): 0x3F
  Status: EXPIRED
  Revoked: False

but nothing later than that. Is EXPIRED no longer a thing?

Hi @orion
the code seems to indicate that the "Status" is taken from what is returned by the Certificate Server (https://pagure.io/freeipa/blob/a718e4a4ab11ab1949bb45c8f15054bd7f2427ab/f/ipaserver/plugins/dogtag.py#_1980).

What does a ldapsearch looking for the certStatus attribute return?

# ldapsearch -D cn=directory\ manager -W -b cn=<id>,ou=certificateRepository,ou=ca,o=ipaca certStatus

dn: cn=96,ou=certificateRepository,ou=ca,o=ipaca
certStatus: VALID

There does now appear to be 2 certificates for that machine:

# 96, certificateRepository, ca, ipaca
dn: cn=96,ou=certificateRepository,ou=ca,o=ipaca
cn: 96
issuedBy: ipara
autoRenew: ENABLED
certStatus: VALID
dateOfModify: 20190301164542Z
dateOfCreate: 20190301164542Z
signingAlgorithmId: 1.2.840.113549.1.1.11
algorithmId: 1.2.840.113549.1.1.1
version: 2
userCertificate;binary:: MIIEoTCCA4mgAwIBAgIBYDANBgkqhkiG9w0BAQsFADAzMREwDwYDV
 QQKDAhOV1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDMwMjAwND
 U0MloXDTIxMDMwMjAwNDU0MlowMjERMA8GA1UECgwITldSQS5DT00xHTAbBgNVBAMMFHJ1Zm91cy5
 jb3JhLm53cmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopG13PPL7GAnexr0
 0pKoSY1WVu1EYHUClGWAUuU0qkm3VUK9NrIlkd64+tAKxhpJmi1XdAQb6Ul4mgzjfufcDW6LKvCiZ
 60Deo9dkxm8vUvmT8jN7YuBEPPhqQUBpMnwmFAYSqW0IPyVE9IuMJVHs8inaqLvHQz83AVk12SHxF
 Ezgti1ng0waH6pMoJVXKNROy5DKxan2sYqEjySgbG6bM2souixh36kIUOjAz4fA81wN+31XBTydhG
 ZWw13C2Wheh5wVrsGtPP7aVf/vZ3D36qQiwoi4QUTL2bRq3iNjOGvaDytokg+zXOHtIX1KV/IzFQm
 go8cDDJVKltNVjlYvQIDAQABo4IBvzCCAbswHwYDVR0jBBgwFoAUSa/zqasdpCGP322DyiDR0jqws
 1YwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLm53cmEuY29tL2NhL2
 9jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBzBgNVHR8
 EbDBqMGigMKAuhixodHRwOi8vaXBhLWNhLm53cmEuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0
 pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVH
 Q4EFgQU/zkjpahmL8NQFFa/Nmc2y4hZKOkwgZgGA1UdEQSBkDCBjYIUcnVmb3VzLmNvcmEubndyYS
 5jb22gMgYKKwYBBAGCNxQCA6AkDCJob3N0L3J1Zm91cy5jb3JhLm53cmEuY29tQE5XUkEuQ09NoEE
 GBisGAQUCAqA3MDWgChsITldSQS5DT02hJzAloAMCAQGhHjAcGwRob3N0GxRydWZvdXMuY29yYS5u
 d3JhLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAfz6LTO7l5h+yyAGobBLTS05KU+YT7F2tiohU3ZkGP
 hBkyt/EIVDWmrCAYVLe40yDvgUCm0xc+Vkf2xnLF4OvNr2obGS31N+IFgmCRM0RG6yuCqxgXMMgUE
 HPyBxF2FDF2tBx2LnTMnEnvFE3iCGr88evukuIyDasRn6V5T5gOxwawlisCVKBQ9RJalgfkBDc2TG
 1r3WD+vMbHqXmWbhu+b/ojLTJJhGuDoT2dJwbVulU05PUeW5YXLDsnh6gfOoEnks+Z+MCzVgmFnSt
 7wHOmKElRXSX43VSm+ApaNqyWuQ8fgFNkwNT2F1x8RmKcle0QloFcOJKzpQ+mLhWwKAl8w==
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.14
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.17
extension: 2.5.29.31
extension: 2.5.29.15
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopG13PPL7GAnexr00p
 KoSY1WVu1EYHUClGWAUuU0qkm3VUK9NrIlkd64+tAKxhpJmi1XdAQb6Ul4mgzjfufcDW6LKvCiZ60
 Deo9dkxm8vUvmT8jN7YuBEPPhqQUBpMnwmFAYSqW0IPyVE9IuMJVHs8inaqLvHQz83AVk12SHxFEz
 gti1ng0waH6pMoJVXKNROy5DKxan2sYqEjySgbG6bM2souixh36kIUOjAz4fA81wN+31XBTydhGZW
 w13C2Wheh5wVrsGtPP7aVf/vZ3D36qQiwoi4QUTL2bRq3iNjOGvaDytokg+zXOHtIX1KV/IzFQmgo
 8cDDJVKltNVjlYvQIDAQAB
issuerName: CN=Certificate Authority,O=NWRA.COM
subjectName: CN=rufous.cora.nwra.com,O=NWRA.COM
duration: 1163158400000
notAfter: 20210301164542Z
notBefore: 20190301164542Z
metaInfo: requestId:97
metaInfo: profileId:caIPAserviceCert
serialno: 0296
objectClass: top
objectClass: certificateRecord

# 536805401, certificateRepository, ca, ipaca
dn: cn=536805401,ou=certificateRepository,ou=ca,o=ipaca
objectClass: top
objectClass: certificateRecord
serialno: 09536805401
metaInfo: requestId:19990026
metaInfo: profileId:caIPAserviceCert
notBefore: 20210302170118Z
notAfter: 20230303170118Z
duration: 1163158400000
subjectName: CN=rufous.cora.nwra.com,O=NWRA.COM
issuerName: CN=Certificate Authority,O=NWRA.COM
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArzRRPe0nXibm3XKpLG
 SZVELkWzzmlEAt6tQGvuT6g20216vbEEk2bSDrMdhGa98g3j/gjC4FlpjiaTDj0yZMjYoqr/ZWeod
 yGiVp4TEkOeG4cn4k9uwuWS+cm0a5WF/WQEhSf1P+kGW3Jsqkpehu7+XcsV0DH0QVc9eJrceQAM4t
 ny4brLiK4hbcqHSYDMr2025nLnRxB5LpE0N/htfX82aIDeiWbHWrMSHDAuWmt0+T/OGAd3DpwF03b
 +h+3i9QMF6Qo1iJ4kzJVxhnXLGV1kIqv4qEzijarESuZbB2Y8zhp6eusNW0lPTLv6CH/wxf/73R+q
 jBlKThNgrRrLmtTwIDAQAB
extension: 2.5.29.35
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.31
extension: 2.5.29.14
extension: 2.5.29.17
extension: 2.5.29.15
userCertificate;binary:: MIIEpDCCA4ygAwIBAgIEH/8AGTANBgkqhkiG9w0BAQsFADAzMREwD
 wYDVQQKDAhOV1JBLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIxMDMwMz
 AwMDExOFoXDTIzMDMwNDAwMDExOFowMjERMA8GA1UECgwITldSQS5DT00xHTAbBgNVBAMMFHJ1Zm9
 1cy5jb3JhLm53cmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArzRRPe0nXibm
 3XKpLGSZVELkWzzmlEAt6tQGvuT6g20216vbEEk2bSDrMdhGa98g3j/gjC4FlpjiaTDj0yZMjYoqr
 /ZWeodyGiVp4TEkOeG4cn4k9uwuWS+cm0a5WF/WQEhSf1P+kGW3Jsqkpehu7+XcsV0DH0QVc9eJrc
 eQAM4tny4brLiK4hbcqHSYDMr2025nLnRxB5LpE0N/htfX82aIDeiWbHWrMSHDAuWmt0+T/OGAd3D
 pwF03b+h+3i9QMF6Qo1iJ4kzJVxhnXLGV1kIqv4qEzijarESuZbB2Y8zhp6eusNW0lPTLv6CH/wxf
 /73R+qjBlKThNgrRrLmtTwIDAQABo4IBvzCCAbswHwYDVR0jBBgwFoAUSa/zqasdpCGP322DyiDR0
 jqws1YwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLm53cmEuY29tL2
 NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBzBgN
 VHR8EbDBqMGigMKAuhixodHRwOi8vaXBhLWNhLm53cmEuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJp
 bqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdB
 gNVHQ4EFgQUyyltJvb7PD5gBSttwEHhyBIstLUwgZgGA1UdEQSBkDCBjYIUcnVmb3VzLmNvcmEubn
 dyYS5jb22gMgYKKwYBBAGCNxQCA6AkDCJob3N0L3J1Zm91cy5jb3JhLm53cmEuY29tQE5XUkEuQ09
 NoEEGBisGAQUCAqA3MDWgChsITldSQS5DT02hJzAloAMCAQGhHjAcGwRob3N0GxRydWZvdXMuY29y
 YS5ud3JhLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAIyCahn+7YFYYELsCbKD6Bi5qZLtTFGYoTB/uv
 MpQqVeVHZHp8gBhQLE3vwHM83lX6ml2QGbr43Xa0rSSgnoNybnOIU5Y/LmwbVdeLNw7Swuu1eKf9r
 85W1MUKIiM/GA5JgiEjMDYCebvtAAGylQ3Nk98kQUX+Iw7JJy+sDYkhvj0Ur328pI5BGaHsHgtRRY
 TMFVzncbvL01+h5BbOOcITKKdwfLS3i1aTm0pmOqCQzjGGHHkIkUcwViKQFVY8vjaRSg2OnnfCpA4
 /z3vz2mFu81gT3x+QEtnbFMqlVFeyZdNxD/0mVV0+3LoMAZzy2oENfzvheXXOkdWWI/2BUBbKA==
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20210302170118Z
dateOfModify: 20210302170118Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: ipara
cn: 536805401

Not sure if that affects anything. Is there some process that scans the ldap database and marks certs as expired?

@edewata can you assist with this?

To my understanding the server does update the cert status periodically. This is done by the CertStatusUpdateTask class:
https://github.com/dogtagpki/pki/blob/v10.10/base/server/src/com/netscape/cmscore/dbs/CertificateRepository.java#L2677

So if it's not configured correctly, or something interrupted the thread, it might stop working.

I just added this page to describe the current behavior:
https://github.com/dogtagpki/pki/wiki/Configuring-Certificate-Status-Update-Task
Is the server a clone? It might need to be enabled manually.

Note: I wasn't the original writer of the code. I think instead of periodically updating the database it would be better not to store the cert status in the database, then let the client evaluate the cert validity based on the client's current time.

Where would this cs.cfg file be located? I can't find one on any of my IPA servers. At this point all of our IPA servers are replicas.

It should be in /etc/pki/pki-tomcat/ca/CS.cfg. I think you should only enable this on one of the servers.

Ah, I missed the capitalization. It was disabled on all my servers - which seems fairly easy to have happen as servers are upgraded and replaced.

Re-enabled it on one and restarted the tomcat server - now the certs show as expired. Thanks.

Created https://github.com/freeipa/freeipa-healthcheck/issues/192 to check using freeipa-healthcheck.

We should probably track this along with CRL generator and renewal master, at least in the upstream docs.

@frenaud what do you think about tying this with the CRL generator?

We can add a new function to ipaserver/install/cainstance.py to enable/disable this per Endi's instructions and execute it within ipa-crlgen-manage.

@rcritten it can either be tied with CA renewal master or CRL generation, and I agree it makes more sense with the CRL generation.
We will also need to update the man page of ipa-crlgen-manage (I see you already updated the wiki page https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master, thanks for that!) and the Admin guide.

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.