Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1872604
Summary: | KRA Transport and Storage Certificates do not renew | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
Status: | CLOSED NOTABUG | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.6 | CC: | abokovoy, alee, ascheel, cfu, edewata, extras-qa, fdc, ipa-maint, ipa-qe, jcholast, jhrozek, kwright, mharmsen, mhjacks, pcech, pvoborni, rcritten, ssorce, tscherf, twoerner, wdh |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1872603 | Environment: | |
Last Closed: | 2020-12-02 16:19:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1869605, 1872603, 1875563, 1883639 | ||
Bug Blocks: |
Description
Martin Kosek
2020-08-26 07:47:26 UTC
Fixed upstream master: https://pagure.io/freeipa/c/b691850cc9718818893291bb813cc227a8daa3d9 https://pagure.io/freeipa/c/0037b698eda11185cb5f22ff74f4b008bc24fe40 https://pagure.io/freeipa/c/6816de0892a11c203f1a2e6f7819d533c7658fa9 Upstream ticket: https://pagure.io/freeipa/issue/8545 The ipa spec will need a new Requires on pki-core-10.5.18-8.el7_9 to pick up the new profile. Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/a9e1c014f601a567f4aa5135d02883c498835268 https://pagure.io/freeipa/c/bd4771d75f8549fe1790540764f23d47bf3d187c https://pagure.io/freeipa/c/3e530e93c37ee71a560714e26285cd85e71557c9 Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/69adf813acb6c37fd5b64f5713f41dce7ddf0207 https://pagure.io/freeipa/c/c3c577aead10e592bf01bc04b6a31d0cf4d4a2be https://pagure.io/freeipa/c/c1659014d0b9e038896ba860a0d76bb70dad7bac Discussed this out-of-band with Flo. We can close this because it doesn't apply. In order to backport this fix from upstream I had to also pull in https://pagure.io/freeipa/issue/7991. That PR specified to certmonger with profile to use for issuing certificates and was the root cause of the KRA renewal failures. It was using internal CA profiles. Prior to this certmonger would renew by serial number using the existing CSR. dogtag will re-issue a new cert using that CSR so there is no need to use a profile. |