When system certificate expires, we need to rollback date to a valid range and start the renewal process.
An offline tool which creates temporary certificates to bring up the server and using which we can proceed with online renewal process.
Related wiki: http://pki.fedoraproject.org/wiki/Offline_System_Certificate_Renewal
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Per PKI Bug Council of 07/06/2017: 10.4 - critical
Metadata Update from @mharmsen: - Issue priority set to: critical - Issue set to the milestone: 10.4 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1468348
Metadata Update from @mharmsen: - Issue assigned to dmoluguw
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.4)
Metadata Update from @mharmsen: - Issue priority set to: major (was: critical)
[20171025] - Offline Triage ==> 10.6
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 10.5)
See also https://pagure.io/dogtagpki/issue/1752 (which specifically is for renewal of expired CA certificate). The complete solution for this ticket will also discharge 1752.
Metadata Update from @mharmsen: - Issue priority set to: blocker (was: major)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.6)
Metadata Update from @mharmsen: - Issue priority set to: major (was: blocker)
Per 10.5.x/10.6 Triage: 10.5.x
Dumping a few thoughts here so I don't forget them.
I have a solution for dealing with and renewing expired subsystem cert (and also dealing with, but not renewing, expired DS service cert). But the new subsystem cert is not (yet) automatically installed in the relevant DB user entry. But it probably can be, since we know that the user is pkidbuser (probably).
We can't automatically deal with expired DS cert. It is nontrivial to detect this from within cert-fix. But, if we can detect it, we can leave Dogtag configured to use basic auth on unsecured connection, and advise the admin that the DS cert needs their attention.
About to start investigation on how we could handle expired agent cert.
For agent cert, the standard mapping code does not require an exact certificate match, only a match of the description attribute, which is of format 2;<serial>;<issuer-dn>;<subject-dn>. So if admin cert is expired, re-issuing with same serial and updated validity period should be sufficient.
description
2;<serial>;<issuer-dn>;<subject-dn>
But I do not like this approach at all. I'm going to investigate whether we can use password auth for the agent/admin account, during cert-fix.
cert-fix
edit yes, we can totally use password authn for this. Indeed, IPA configures the admin account with the (original) DM passphrase. In general we can't assume it has the same passphrase. Now I will see if it is possible to change to random passphrase using DM cred, then restore the earlier passphrase afterwards by writing back the original userPassword attribute value.
admin
userPassword
Since this tool has been implemented, I'm closing this ticket. Feel free to file new tickets if there are bugs related to this tool
Related PRs: 10.5 branch: https://github.com/dogtagpki/pki/pull/183 master: https://github.com/dogtagpki/pki/pull/182
Related Bugzillas: https://bugzilla.redhat.com/show_bug.cgi?id=1468348 https://bugzilla.redhat.com/show_bug.cgi?id=1696849 https://bugzilla.redhat.com/show_bug.cgi?id=1679480
Metadata Update from @dmoluguw: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2896
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.