Nevermind, it appears there may be some minimum amount of time before
certmonger looks at a cert, and the amount of time is greater than my 10
minutes. I'll watch the logs overnight and adjust certificate validity to
be slightly longer and continue my testing. Sorry for the noise!
On Tue, Aug 30, 2022 at 5:52 PM IPA Listmail <ipalistmail(a)gmail.com> wrote:
client: el8
ipa server: el7
I created a cert via:
sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname
-f)\
-k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\
-f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
Everything about the cert _appears_ to be fine. Openssl output looks
normal and the puppet agent runs fine.
During testing I have radically reduced the certificate validity down to
10 minutes. The output of ipa-getcert list is:
Number of certificates and requests being tracked: 1.
Request ID '20220830202305':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem'
certificate:
type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem'
CA: IPA
issuer: CN=Certificate
Authority,O=DOMAIN.COM 20220829230619
subject:
CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM
20220829230619
issued: 2022-08-30 21:29:11 UTC
expires: 2022-08-30 21:39:11 UTC
dns: ip-10-0-82-56.eu-west-1.compute.internal
principal name: host/
ip-10-0-82-56.eu-west-1.compute.internal(a)DOMAIN.COM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
However, it never actually updates before (or after) expiration. I have
tried restarting the service and rebooting. This is happening on two hosts.
I see no failures in the log or anything in the log after the last resubmit
command. I have manually used rekey and resubmit. Both worked fine. Using a
blog post from Fraser, I tried start-tracking with --no-renew, then
--renew. I looked for errors. The only thing that seem kind of odd to me is
in /var/lib/certmonger/requests/20220830202305:
last_need_notify_check=20220830205312
last_need_enroll_check=20220830205312