client: el8 ipa server: el7
I created a cert via: sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname -f)\ -k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\ -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
Everything about the cert _appears_ to be fine. Openssl output looks normal and the puppet agent runs fine.
During testing I have radically reduced the certificate validity down to 10 minutes. The output of ipa-getcert list is:
Number of certificates and requests being tracked: 1. Request ID '20220830202305': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem'
certificate: type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem'
CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.COM 20220829230619 subject: CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM 20220829230619 issued: 2022-08-30 21:29:11 UTC expires: 2022-08-30 21:39:11 UTC dns: ip-10-0-82-56.eu-west-1.compute.internal principal name: host/ ip-10-0-82-56.eu-west-1.compute.internal@DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
However, it never actually updates before (or after) expiration. I have tried restarting the service and rebooting. This is happening on two hosts. I see no failures in the log or anything in the log after the last resubmit command. I have manually used rekey and resubmit. Both worked fine. Using a blog post from Fraser, I tried start-tracking with --no-renew, then --renew. I looked for errors. The only thing that seem kind of odd to me is in /var/lib/certmonger/requests/20220830202305: last_need_notify_check=20220830205312 last_need_enroll_check=20220830205312