Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-18672

failure of mod_md ACME renewal against IdM CA

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • pki-core
    • None
    • None
    • rhel-sst-idm-cs
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      In the ACME Service of IdM Dogtag CA, there are a bug that inhibits mod_md renewal in the Window defined, so in the acme client mod_md, the automatic renewal when expiration date is accomplished is not performed. As a result, any certificates are automatically reissued by Dogtag when expiration date is passed, the issue is detected on RHEL 8 and 9. Have been solved in the upstream project, in the following Merge:

      https://github.com/dogtagpki/pki/pull/4625

      Want to backport this one to our release of IdM Dogtag component for both RHEL 8 and RHEL 9.

      The packages affected are the following, not pretty sure when was the first package released with this bug, but the last packages in our distribution of RHEL 8 and 9 are affected:

      https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2534875

      https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2753234

      Please provide the package NVR for which bug is seen:

      This versions of the packages that are observed to have this bug

      https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2534875

      https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2753234

      How reproducible:

      Always

      Steps to reproduce

      1.  Enable the ACME service on IdM "ipa-acme-manage enable"
      2. Change the profile of IdM CA to issue certs with 1 hour of validity with the following (this is just to speed up testing).

      ipa certprofile-show acmeIPAServerCert --out acmeIPAServerCert.cfg
      policyset.serverCertSet.7.default.params.range=60
      policyset.serverCertSet.7.default.params.rangeUnit=minute
      ipa certprofile-mod acmeIPAServerCert --file acmeIPAServerCert.cfg
            3. Setup a client to join the IdM domain, afterwards setup the apache of this ACME client with mod_md, with a configuration similar to the following:

       
      [root@client~]# cat /etc/httpd/conf.d/acme.conf
      LogLevel debug md:trace5
      #LogLevel warn md:notice
       
      MDCertificateAuthority https://ipa-ca.lab.example.com/acme/directory
      MDCertificateAgreement accepted
      MDomain client.lab.example.com
      <VirtualHost *:443>
          ServerName client.lab.example.com
          SSLEngine on
      </VirtualHost>
       
      3. Restart apache two times and check that the certs for apache have been placed on:
       
      /var/lib/httpd/md/domains/client.lab.example.com
       
      4. This certs have a validity period of 1 hour.
       
      5. Wait until past this hour and can check that any new certificate have been placed in the location

      Expected results

       

      After the expiration time a new pair cert/key have to be reissued by the IdM CA

      Actual results

      Any new certificate is reissued when expiration date passed

              Unassigned Unassigned
              rh-ee-jfont Josep Andreu Font
              RHCS Maintenance RHCS Maintenance
              no-user-match-found no-user-match-found
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: