[Freeipa-users] renew op produces cert with CN=localhost

[Leo Galambos via FreeIPA-users]

Hello,

our FreeIPA was running with correct certificates for 2 years (subject 
"CN=ipa.hq.company,O=HQ.COMPANY"). Unfortunately, the new certificates 
(ocspSigningCert, auditSigningCert) were recreated with simple 
"CN=localhost" (automatically), i.e. the original value 
"CN=ipa.hq.company,O=HQ.COMPANY" was ignored by certmonger.

If you have some knowledge of the FreeIPA internals - can you point me 
to the right direction, so that I could debug and/or fix this rotation 
bug, please?

Thank you,
LG


certmonger-0.79.13-3.el8.x86_64
ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64


# getcert list

Request ID '20200324213127':
    status: MONITORING
    stuck: no
:
    CA: IPA
    issuer: CN=Certificate Authority,O=HQ.COMPANY
    subject: CN=ipa.hq.company,O=HQ.COMPANY
    expires: 2022-03-25 22:31:28 CET
    principal name: krbtgt/HQ.COMPANY@HQ.COMPANY
    key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-pkinit-KPKdc
    profile: KDCs_PKINIT_Certs
    pre-save command:
    post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
    track: yes
    auto-renew: yes
Request ID '20210120221127':
    status: MONITORING
    stuck: no
:
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=HQ.COMPANY
    subject: CN=localhost
    expires: 2024-02-04 22:29:37 CET
    key usage: digitalSignature,nonRepudiation
    profile: caSignedLogCert
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20210120221129':
    status: MONITORING
    stuck: no
:
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=HQ.COMPANY
    subject: CN=localhost
    expires: 2024-02-04 22:28:36 CET
    eku: id-kp-OCSPSigning
    profile: caOCSPCert
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
<snip>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure