-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-9.6
-
None
-
Yes
-
Important
-
rhel-sst-idm-cs
-
ssg_idm
-
0
-
Dev ack
-
False
-
-
No
-
None
-
Pass
-
-
Automated
-
Unspecified Release Note Type - Unknown
-
-
x86_64
-
None
What were you trying to do that didn't work?
PKI debug log rotation not working
What is the impact of this issue to you?
PKI debug log rotation not working so when we perform PKI operation, no new logging generated in debug log file.
Please provide the package NVR for which the bug is seen:
pki-core-11.6.0-0.3.alpha2.el9.src.rpm
jss-5.6.0-0.1.alpha1.el9.src.rpm
nss-3.101.0-10.el9_2.src.rpm
How reproducible is this bug?:
Always
Steps to reproduce
- Setup CA subsystem on RHEL 9.6 nightly build
- Change the system date or leave the setup as it is for 1 day
- Check if new debug log generated in the format at path /var/log/pki/<instance>/ca/: debug.YYYY-MM-DD.log
Expected results
PKI should automatically rotate debug log.
Actual results
# ls -l /var/log/pki/topology-00-CA/ca/debug.2025-01-09.log -rw-r--r--. 1 pkiuser pkiuser 491371 Jan 9 23:56 /var/log/pki/topology-00-CA/ca/debug.2025-01-09.log
Waited for another day and no new debug log generated:
# date
Fri Jan 10 07:55:00 EST 2025
# ls -l /var/log/pki/topology-00-CA/ca
total 484
drwxrwx---. 2 pkiuser pkiuser 166 Jan 9 13:31 archive
-rw-r--r--. 1 pkiuser pkiuser 491371 Jan 9 23:56 debug.2025-01-09.log
-rw-r-----. 1 pkiuser pkiuser 3552 Jan 9 13:31 selftests.log
drwxrwx---. 2 pkiuser pkiuser 22 Jan 9 10:58 signedAudit
Last content of the debug log:
2025-01-09 23:51:44 [CertStatusUpdateTask] INFO: LDAPSession.continuousPagedSearch(): Searching ou=certificateRepository, ou=ca,o=topology-00-CA-CA for (&(certStatus=INVALID)(notBefore<=20250109235144Z)) 2025-01-09 23:51:44 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating valid certs to expired 2025-01-09 23:51:44 [CertStatusUpdateTask] INFO: LDAPSession.continuousPagedSearch(): Searching ou=certificateRepository, ou=ca,o=topology-00-CA-CA for (&(certStatus=VALID)(notAfter<=20250109235144Z)) 2025-01-09 23:51:44 [CertStatusUpdateTask] INFO: LDAPSession.continuousPagedSearch(): Searching ou=certificateRepository, ou=ca,o=topology-00-CA-CA for (&(certStatus=VALID)(notAfter<=20250109235144Z)) 2025-01-09 23:51:44 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating revoked certs to expired 2025-01-09 23:51:44 [CertStatusUpdateTask] INFO: LDAPSession.continuousPagedSearch(): Searching ou=certificateRepository, ou=ca,o=topology-00-CA-CA for (&(certStatus=REVOKED)(notAfter<=20250109235144Z)) 2025-01-09 23:51:44 [CertStatusUpdateTask] INFO: LDAPSession.continuousPagedSearch(): Searching ou=certificateRepository, ou=ca,o=topology-00-CA-CA for (&(certStatus=REVOKED)(notAfter<=20250109235144Z)) 2025-01-09 23:51:46 [Timer-0] INFO: SessionTimer: checking security domain sessions 2025-01-09 23:56:46 [Timer-0] INFO: SessionTimer: checking security domain sessions
Even if we perform any PKI operation, no new debug logging generate. When we restart or Stop/Start the CA subsystem, then it generates the new logging:
# pki-server stop topology-00-CA
# pki-server start topology-00-CA
# ls -l /var/log/pki/topology-00-CA/ca
total 524
drwxrwx---. 2 pkiuser pkiuser 166 Jan 9 13:31 archive
-rw-r--r--. 1 pkiuser pkiuser 491371 Jan 9 23:56 debug.2025-01-09.log
-rw-r--r--. 1 pkiuser pkiuser 34111 Jan 10 07:39 debug.2025-01-10.log
-rw-r-----. 1 pkiuser pkiuser 4612 Jan 10 07:39 selftests.log
drwxrwx---. 2 pkiuser pkiuser 22 Jan 9 10:58 signedAudit
- is related to
-
-
- Integration
-
- links to
-
RHBA-2024:144001
pki-core bug fix and enhancement update
