[Freeipa-users] certmonger not updating

Tue, 30 Aug 2022 14:53:20 -0700 

client: el8
ipa server: el7

I created a cert via:
  sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname
-f)\
    -k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\
    -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem

Everything about the cert _appears_ to be fine. Openssl output looks normal
and the puppet agent runs fine.

During testing I have radically reduced the certificate validity down to 10
minutes. The output of ipa-getcert list is:

Number of certificates and requests being tracked: 1.
Request ID '20220830202305':
       status: MONITORING
       stuck: no
       key pair storage:
type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem'

       certificate:
type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem'

       CA: IPA
       issuer: CN=Certificate Authority,O=DOMAIN.COM 20220829230619
       subject: CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM
20220829230619
       issued: 2022-08-30 21:29:11 UTC
       expires: 2022-08-30 21:39:11 UTC
       dns: ip-10-0-82-56.eu-west-1.compute.internal
       principal name: host/
[email protected]
       key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
       eku: id-kp-serverAuth,id-kp-clientAuth
       pre-save command:
       post-save command:
       track: yes
       auto-renew: yes

However, it never actually updates before (or after) expiration. I have
tried restarting the service and rebooting. This is happening on two hosts.
I see no failures in the log or anything in the log after the last resubmit
command. I have manually used rekey and resubmit. Both worked fine. Using a
blog post from Fraser, I tried start-tracking with --no-renew, then
--renew. I looked for errors. The only thing that seem kind of odd to me is
in /var/lib/certmonger/requests/20220830202305:
last_need_notify_check=20220830205312
last_need_enroll_check=20220830205312

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to