#9611 kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica
Closed: fixed 7 months ago by frenaud. Opened 7 months ago by frenaud.

Cloned from https://issues.redhat.com/browse/RHEL-39477

What were you trying to do that didn't work?

# ipa config-show
...
Hidden IPA masters: ipaserver.example.test

When a IPA server is marked as Hidden Replica then "kdc.crt" certificate is not getting renewed due to error that the server is not active KDC.

# getcert list -f /var/kerberos/krb5kdc/kdc.crt
            status: MONITORING
            ca-error: Server at https://ipaserver.example.test/ipa/json denied our request, giving up: 2100 (Insufficient access: Host 'ipaserver.example.test' is not an active KDC).
            stuck: no
            key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
            certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
            CA: IPA
            issuer: CN=Certificate Authority,O=EXAMPLE.TEST
            subject: CN=ipaserver.example.test,O=EXAMPLE.TEST
            issued: 2022-05-24 01:36:17 UTC
            expires: 2024-05-24 01:36:17 UTC
            dns: ipaserver.example.test
            principal name: krbtgt/EXAMPLE.TEST@EXAMPLE.TEST
            key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
            eku: id-kp-serverAuth,id-pkinit-KPKdc
            profile: KDCs_PKINIT_Certs
            pre-save command:
            post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
            track: yes
            auto-renew: yes

As a work around if we manually disable and enable below command the "kdc.crt" get renewed.

    ipa-pkinit-manage disable
    The ipa-pkinit-manage command was successful

    ipa-pkinit-manage enable
    Configuring Kerberos KDC (krb5kdc)
      [1/1]: installing X509 Certificate for PKINIT
    Done configuring Kerberos KDC (krb5kdc).
    The ipa-pkinit-manage command was successful



     getcert list -f /var/kerberos/krb5kdc/kdc.crt
    Number of certificates and requests being tracked: 10.
    Request ID '20240531070303':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.TEST
        subject: CN=ipaserver.example.test,O=EXAMPLE.TEST
        issued: 2024-05-31 12:33:06 IST
        expires: 2026-06-01 12:33:06 IST
        dns: ipaserver.example.test
        principal name: krbtgt/EXAMPLE.TEST@EXAMPLE.TEST
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        profile: KDCs_PKINIT_Certs
        pre-save command: 
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes

As IPA server can be promoted and demoted to hidden replica any time hence it may cause issue if the replica server is made active as part of cluster.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/demoting-or-promoting-hidden-replicas_configuring-and-managing-idm

Please provide the package NVR for which bug is seen:

ipa-server-4.9.12-9.module+el8.9.0+20420+fef9eb45.x86_64

How reproducible:

Always

Steps to reproduce

Install IPA server as hidden replica or promote it as per link above.
Wait for the kdc.crt to expire
Try renewing of "kdc.crt using below command.

            # getcert resubmit -f /var/kerberos/krb5kdc/kdc.crt

Expected results

Even if the IPA server has been prompted as hidden replica the "kdc.crt" certificate should renew.

Actual results

"kdc.crt" certificate renewal is failing with error.

ca-error: Server at https://ipaserver.example.test/ipa/json denied our request, giving up: 2100 (Insufficient access: Host 'ipaserver.example.test' is not an active KDC).

7 months ago

master:

  • 20df609 PKINIT certificate: fix renewal on hidden replica
  • 70cd9dd ipatests: add test for PKINIT renewal on hidden replica

ipa-4-12:

  • c8e3fde PKINIT certificate: fix renewal on hidden replica
  • 467ec04 ipatests: add test for PKINIT renewal on hidden replica

ipa-4-11:

  • 54b47cd PKINIT certificate: fix renewal on hidden replica
  • a5e7103 ipatests: add test for PKINIT renewal on hidden replica

ipa-4-9:

  • ceb9db8 PKINIT certificate: fix renewal on hidden replica
  • ad1fbc7 ipatests: add test for PKINIT renewal on hidden replica

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 months ago

Metadata Update from @rcritten:
- Custom field changelog adjusted to The renewal of the PKINIT certficate on hidden replicas were failing because of a test ensuring that the KDC service is either enabled or configured. The test was extended to include hidden as well.

5 months ago

Log in to comment on this ticket.

Metadata