Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipa-cert-fix man page: add note about certmonger renewal #5825

Closed
wants to merge 1 commit into from
Closed

ipa-cert-fix man page: add note about certmonger renewal #5825

wants to merge 1 commit into from

Conversation

flo-renaud
Copy link
Contributor

ipa-cert-fix man page needs to explain that certmonger may
trigger a renewal right after ipa-cert-fix completes because
certmonger does not notice the updated certificates.

Fixes: https://pagure.io/freeipa/issue/8702
Signed-off-by: Florence Blanc-Renaud flo@redhat.com

@flo-renaud flo-renaud added the ipa-4-9 Mark for backport to ipa 4.9 label Jun 10, 2021
mrizwan93
mrizwan93 reviewed Jun 10, 2021
View reviewed changes
Copy link
Contributor

@mrizwan93 mrizwan93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion:
Can we add note to ipa-cert-fix command's output?

[..]
Note: Monitor the renewal status of certs and wait for its completion before any other administrative task

ipapython.admintool: INFO: The ipa-cert-fix command was successful.

@flo-renaud
ipa-cert-fix man page: add note about certmonger renewal
9d64c96 
ipa-cert-fix man page needs to explain that certmonger may
trigger a renewal right after ipa-cert-fix completes because
certmonger does not notice the updated certificates.

Also add a similar note at the end of ipa-cert-fix.

Fixes: https://pagure.io/freeipa/issue/8702
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
@flo-renaud flo-renaud added the WIP Work in progress - not ready yet for review label Jun 10, 2021
@flo-renaud
Copy link
Contributor Author

Please don't review this PR yet, I am planning to test whether stopping certmonger before renewal and starting it at the end of ipa-cert-fix solves the double-renewal issue. The stop needs to be set at the right time because any call to getcert list would restart it.

@flo-renaud flo-renaud removed the WIP Work in progress - not ready yet for review label Jun 10, 2021
@flo-renaud
Copy link
Contributor Author

@rcritten
I did a test with certmonger stopped just before calling pki-server cert-fix, and restarting certmonger right after the call to ipactl restart. This doesn't fix the double-renewal issue, certmonger starts by reading the /var/lib/certmonger/requests/ files and the request is marked with state=CA_UNREACHABLE. Probably because of this state, certmonger directly tries to renew the cert without checking its actual expiry date.
As a conclusion, there is no fix for double renewal unless certmonger code is modified, and we need this PR to explain the situation in the man page and at the end of the command.

@rcritten
Copy link
Contributor

Thanks for testing that. Maybe it's something I can look at in certmonger eventually.

ack

@rcritten rcritten added the ack Pull Request approved, can be merged label Jun 10, 2021
@flo-renaud flo-renaud added the pushed Pull Request has already been pushed label Jun 10, 2021
@flo-renaud
Copy link
Contributor Author

master:

  • 5509e00 ipa-cert-fix man page: add note about certmonger renewal

@flo-renaud flo-renaud closed this Jun 10, 2021
@flo-renaud flo-renaud mentioned this pull request Jun 10, 2021
Closed
@flo-renaud flo-renaud deleted the t8702 branch June 10, 2021 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrizwan93 mrizwan93 mrizwan93 left review comments

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged ipa-4-9 Mark for backport to ipa 4.9 pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@flo-renaud @rcritten @mrizwan93