Nevermind, it appears there may be some minimum amount of time before certmonger looks at a cert, and the amount of time is greater than my 10 minutes. I'll watch the logs overnight and adjust certificate validity to be slightly longer and continue my testing. Sorry for the noise!
On Tue, Aug 30, 2022 at 5:52 PM IPA Listmail ipalistmail@gmail.com wrote:
client: el8 ipa server: el7
I created a cert via: sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname -f)\ -k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\ -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
Everything about the cert _appears_ to be fine. Openssl output looks normal and the puppet agent runs fine.
During testing I have radically reduced the certificate validity down to 10 minutes. The output of ipa-getcert list is:
Number of certificates and requests being tracked: 1. Request ID '20220830202305': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem'
certificate:
type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem'
CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.COM 20220829230619 subject: CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM
20220829230619 issued: 2022-08-30 21:29:11 UTC expires: 2022-08-30 21:39:11 UTC dns: ip-10-0-82-56.eu-west-1.compute.internal principal name: host/ ip-10-0-82-56.eu-west-1.compute.internal@DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
However, it never actually updates before (or after) expiration. I have tried restarting the service and rebooting. This is happening on two hosts. I see no failures in the log or anything in the log after the last resubmit command. I have manually used rekey and resubmit. Both worked fine. Using a blog post from Fraser, I tried start-tracking with --no-renew, then --renew. I looked for errors. The only thing that seem kind of odd to me is in /var/lib/certmonger/requests/20220830202305: last_need_notify_check=20220830205312 last_need_enroll_check=20220830205312