client: el8
ipa server: el7
I created a cert via:
sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname
-f)\
-k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\
-f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
Everything about the cert _appears_ to be fine. Openssl output looks normal
and the puppet agent runs fine.
During testing I have radically reduced the certificate validity down to 10
minutes. The output of ipa-getcert list is:
Number of certificates and requests being tracked: 1.
Request ID '20220830202305':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem'
certificate:
type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem'
CA: IPA
issuer: CN=Certificate
Authority,O=DOMAIN.COM 20220829230619
subject:
CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM
20220829230619
issued: 2022-08-30 21:29:11 UTC
expires: 2022-08-30 21:39:11 UTC
dns: ip-10-0-82-56.eu-west-1.compute.internal
principal name: host/
ip-10-0-82-56.eu-west-1.compute.internal(a)DOMAIN.COM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
However, it never actually updates before (or after) expiration. I have
tried restarting the service and rebooting. This is happening on two hosts.
I see no failures in the log or anything in the log after the last resubmit
command. I have manually used rekey and resubmit. Both worked fine. Using a
blog post from Fraser, I tried start-tracking with --no-renew, then
--renew. I looked for errors. The only thing that seem kind of odd to me is
in /var/lib/certmonger/requests/20220830202305:
last_need_notify_check=20220830205312
last_need_enroll_check=20220830205312