client: el8
ipa server: el7
I created a cert via:
sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname -f)\
-k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\
-f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
Everything about the cert _appears_ to be fine. Openssl output looks normal and the puppet agent runs fine.
During testing I have radically reduced the certificate validity down to 10 minutes. The output of ipa-getcert list is:
Number of certificates and requests being tracked: 1.
Request ID '20220830202305':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem'
certificate: type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM 20220829230619
subject: CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM 20220829230619
issued: 2022-08-30 21:29:11 UTC
expires: 2022-08-30 21:39:11 UTC
dns: ip-10-0-82-56.eu-west-1.compute.internal
principal name: host/ip-10-0-82-56.eu-west-1.compute.internal@DOMAIN.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
However, it never actually updates before (or after) expiration. I have tried restarting the service and rebooting. This is happening on two hosts. I see no failures in the log or anything in the log after the last resubmit command. I have manually used rekey and resubmit. Both worked fine. Using a blog post from Fraser, I tried start-tracking with --no-renew, then --renew. I looked for errors. The only thing that seem kind of odd to me is in /var/lib/certmonger/requests/20220830202305:
last_need_notify_check=20220830205312
last_need_enroll_check=20220830205312