[Freeipa-users] certmonger question

[Nalin Dahyabhai]

On Tue, Nov 11, 2014 at 08:48:18AM +0100, Natxo Asenjo wrote:
> 2014-11-11 08:34:33 [11677] Certificate "Local Signing Authority"
> valid for 31473668s.
> 2014-11-11 08:34:33 [11677] Running result is 1481416576.
> 2014-11-11 08:34:33 [11677] Final result is 1481416576.

Okay, that's weird.  The result being tallied here is the earliest of
the not-valid-after times for the CA's certificate, but on my
development box, those numbers are coming back scaled up by a factor of
a million.  That suggests that the logic that determines how long to
wait before trying to fetch new data is somehow arriving at a much lower
value than it should, which would explain why it immediately polls for a
new local signer certificate.

Since you mention that this seems to be specific to 32-bit boxes, I
think I need to switch to that one to try to sort out what's happening
here, since I'm on a 64-bit box.

[snip]

> # CACert, ipa, etc, domain.tld
> dn: cn=CACert,cn=ipa,cn=etc,dc=domain,dc=tld
> cACertificate;binary:: TUlJRG5EQ0NBb1NnQXdJQkFnSUJBVEFOQmdrcWhraUc5dzBCQVFzRkF
>  EQTdNUmt3RndZRFZRUUtFeEJWVGtsWUxrbFNTVk5hVDFKSExrNU1NUjR3SEFZRFZRUURFeFZEWlhK
>  MGFXWnBZMkYwWlNCQmRYUm9iM0pwZEhrd0hoY05NVEl4TVRBM01qRXlOREUxV2hjTk1qQXhNVEEzT
>  WpFeU5ERTFXakE3TVJrd0Z3WURWUVFLRXhCVlRrbFlMa2xTU1ZOYVQxSkhMazVNTVI0d0hBWURWUV
>  FERXhWRFpYSjBhV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUF
>  BNElCRHdBd2dnRUtBb0lCQVFDeTJXVnk3UWtIaXVFTlcvemtNZUQ0SUxvcU9ydXVZS3ZiMitycWV1
>  STlpdyt6QkJ0NTY5WFN4cmdjeWVUcTBHNjNSamJYZ3JBem90NEVoWWc2TW9lcERWQ24wQm51clVmZ
>  2JDZjVSMEVib2lnamJvaDVNR25QeWxIZWZMUkdBUk5VQ3djVEdBNHVSOVpRTC9yRVVxV2t0bVpqYW
>  5ZRXZPUDhVQmV1cTVXUDVlbWFYOFUwM1N6TUErY1FUOXcvengwZUFPWWdaVzV5eDNhQTVRNEZ1OHF
>  XcU1HR0FPQTZ5RFFXcW1JcGd4aUZISFJhN2hRSzRBamVIZ3ZhQ29sYVU5NzlMaDVqQXYvWHdyWXRv
>  azFHK1VWRXA0NUlOcGZ4cjVkTGUwM29nblBGUFowL3h3YkJxdHQvMnFuNnJrNEw0dWtINFA5ZzRSd
>  zBvN1UxeUpWeC9TT0pBZ01CQUFHamdhb3dnYWN3SHdZRFZSMGpCQmd3Rm9BVW81ZmtpaTY0eno3cU
>  0vSzhrOVlqM3FtRU5tZ3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU9CZ05WSFE4QkFmOEVCQU1DQWN
>  Zd0hRWURWUjBPQkJZRUZLT1g1SW91dU04KzZqUHl2SlBXSTk2cGhEWm9NRVFHQ0NzR0FRVUZCd0VC
>  QkRnd05qQTBCZ2dyQmdFRkJRY3dBWVlvYUhSMGNEb3ZMMnRrWXpBeExuVnVhWGd1YVhKcGMzcHZjb
>  WN1Ym13Nk9EQXZZMkV2YjJOemNEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFKMjhnZG96ZC9wdE
>  9NNVBUS0t3eVYrb3RPL3drM3lFcnNseHBOVWhSWmdTTlV3VCt0NnRmRi9qK2pKUlY1c1grankwOWM
>  5RG8rcDNIeTlnUm5JVkpPTkRTY3ZNVjluRGM3NUM2SkdYVStGZE5KSitEYnBlcC9Sc1FqSHJaK3Vu
>  d0l5QVdvT3BCb2w4c0d6TjV0WGJlby9NNm1HRnhhQlRIMUdLdGd2NENLYnpRQW90dk1hR3h6S2pTY
>  0hSc0dhZXJOU0NacC85MHlSSnlwQzNNT29zVUZjRmw0Q29ZSEI0MlhEVHpqdnpaUWNhRk5jZ1lYT2
>  NpdWp3d1lITnpzU3FZY0lLRlNXdVd2TisrN2c0eXhRTWx1OFFXME1zL1BudG1UbU8yY0RkTkkxdHV
>  qVnlCS2U1OTl5NE8vRXMvTUJHdER0VkE4NUFMa3NKT1UyN2JqdHZiQmc9PQ==
> 
> # search result
> search: 4
> result: 0 Success

Yup.  If you trim the whitespace and run that through 'base64 -d',
you'll see base64-encoded data.  If you run _that_ through 'base64 -d',
you'll get the certificate, which confirms that it was double-encoded,
as I think Martin noted.

[snip]

> So there is something wrong but how come I only see this in this
> client after upgrading it to centos 6.6?

Not specifically.  Caching the root certificate (for the "IPA" and
"local" signers, anyway), is new functionality that was added for other
users.

HTH,

Nalin