Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4941

[RFE] Add check on CA cert expiry for ipa-cert-fix

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • idm-DL1-8100020250404183236.823393f5
    • None
    • 1
    • rhel-idm-ipa
    • ssg_idm
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • 2025-Q2-Alpha-S1
    • If docs needed, set a value
    • None
    • 57,005

      Description of problem:
      If externally signed CA cert is expired, the ipa-cert-fix will proceed with issuing new service and shared certificates using it, that produces certificates with very short validity periods. If that's the case, the situation gets worse than before ipa-cert-fix - we can't return in time to operate normally in this case.

      Version-Release number of selected component (if applicable):
      ipa-server-4.9.11-5

      How reproducible:
      always, if you have expired externally signed CA

      Steps to Reproduce:
      1. expire your externally-signed CA cert
      2. run ipa-cert-fix

      Actual results:
      system is broken and requires manual search for previous certs in LDAP repository in order to get operational again

      Expected results:
      check is run if CA is externally signed and if it is expired, and if that's the case - ipa-cert-fix doesn't perform any action (renewal not possible until new CA cert is signed)

      Additional info:

        1. ipa_cert_fix.py
          16 kB

              frenaud@redhat.com Florence Renaud
              rhn-support-asharov Aleksandr Sharov
              Florence Renaud Florence Renaud
              Erik Belko Erik Belko
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: