-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
rhel-8.10, rhel-9.5
-
None
-
No
-
None
-
rhel-sst-idm-ipa
-
ssg_idm
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
When trying to resubmit a certificate request that had the key file removed, "getcert" hangs indefinitely. This behavior has been seen in RHEL 8 and RHEL 9.
Request a certificate (take note of the "id" returned):
{{[root@ipaserver /]# /usr/bin/getcert request -N CN=ipaserver.test.local -c IPA -w -f ${PWD}/mycert.crt -k ${PWD}/mycert.key -D ipaserver.test.local -K HTTP/ipaserver.test.local
New signing request "20241126155215" added.}}
We can see that everything is ok by checking the files and the certificate status:
{{[root@ipaserver /]# getcert list -i 20241126155215
Number of certificates and requests being tracked: 13.
Request ID '20241126155215':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/mycert.key'
certificate: type=FILE,location='/mycert.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TEST.LOCAL
subject: CN=ipaserver.test.local,O=TEST.LOCAL
issued: 2024-11-26 15:52:16 UTC
expires: 2026-11-27 15:52:16 UTC
dns: ipaserver.test.local
principal name: HTTP/ipaserver.test.local@TEST.LOCAL
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
[root@ipaserver /]# ls mycert*
mycert.crt mycert.key}}
Removing the certificate (.crt) file and resubmiting the request works fine:
{{[root@ipaserver /]# rm mycert.crt
rm: remove regular file 'mycert.crt'? y
[root@ipaserver /]# /usr/bin/getcert resubmit -N CN=ipaserver.test.local -c IPA -w -f ${PWD}/mycert.crt -D ipaserver.test.local -K HTTP/ipaserver.test.local
Resubmitting "20241126155215" to "IPA".
[root@ipaserver /]# getcert list -i 20241126155215
Number of certificates and requests being tracked: 13.
Request ID '20241126155215':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/mycert.key'
certificate: type=FILE,location='/mycert.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TEST.LOCAL
subject: CN=ipaserver.test.local,O=TEST.LOCAL
issued: 2024-11-26 15:52:58 UTC
expires: 2026-11-27 15:52:58 UTC
dns: ipaserver.test.local
principal name: HTTP/ipaserver.test.local@TEST.LOCAL
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
[root@ipaserver /]# ls mycert*
mycert.crt mycert.key}}
Now, if the private key file (.key) is removed and we resubmit the request, getcert hangs:
{{[root@ipaserver /]# rm mycert.key
rm: remove regular file 'mycert.key'? y
[root@ipaserver /]# /usr/bin/getcert resubmit -N CN=ipaserver.test.local -c IPA -w -f ${PWD}/mycert.crt -D ipaserver.test.local -K HTTP/ipaserver.test.local
Resubmitting "20241126155215" to "IPA".}}
It can be seen that the process does not terminate for several minutes (it actually hangs indefinitely):
{{[root@ipaserver /]# ps u -C getcert
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 843 0.2 0.0 24632 11012 pts/0 S+ 15:54 0:00 /usr/bin/getcert resubmit -N CN=ipaserver.test.local -c IPA -w -f //mycert.crt -D ipaserver.test.local -K HTTP/ipaserver.
[root@ipaserver /]# date
Tue Nov 26 15:59:35 UTC 2024}}
And the status of the certificate request is "NEED_CSR":
{{[root@ipaserver /]# getcert list -i 20241126155215
Number of certificates and requests being tracked: 13.
Request ID '20241126155215':
status: NEED_CSR
stuck: no
key pair storage: type=FILE,location='/mycert.key'
certificate: type=FILE,location='/mycert.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TEST.LOCAL
subject: CN=ipaserver.test.local,O=TEST.LOCAL
issued: 2024-11-26 15:52:58 UTC
expires: 2026-11-27 15:52:58 UTC
dns: ipaserver.test.local
principal name: HTTP/ipaserver.test.local@TEST.LOCAL
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes}}