Issued:

2015-07-22

Updated:

2015-07-22

RHBA-2015:1379 - certmonger bug fix and enhancement update

Synopsis

certmonger bug fix and enhancement update

Type/Severity

Bug Fix Advisory

Topic

Updated certmonger packages that fix two bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.

Description

The certmonger service monitors certificates, warns of their impending expiration, and optionally attempts to renew certificates by enrolling the system with a certificate authority (CA).

This update fixes the following bugs:

• Prior to this update, after the user upgraded from Red Hat Enterprise Linux 6.5 to Red Hat Enterprise Linux 6.6 and rebooted the system, certmonger in some cases erroneously exited shortly after starting or performed a series of unnecessary checks for new certificates. A patch has been applied to fix this bug, and these problems no longer occur in the described situation. (BZ#1163023)

• Previously, the "getcert list" command did not display the "pre-save command" and "post-save command" values. As a consequence, running "getcert list" could return incomplete results. With this update, the problem has been fixed, and running "getcert list" displays the "pre-save command" and "post-save command" values as expected. (BZ#1178190)

In addition, this update adds the following enhancements:

• The certmonger service now supports the Simple Certificate Enrollment Protocol (SCEP). For obtaining certificates from servers, the user can now offer enrollment over SCEP. (BZ#1161768)

• Requesting a certificate using the getcert utility during an IdM client kickstart enrollment no longer requires certmonger to be running. Previously, an attempt to do this failed because certmonger was not running. With this update, getcert can successfully request a certificate in the described situation, on the condition that the D-Bus daemon is not running. Note that certmonger requires a system reboot to start monitoring the certificate obtained in this way. (BZ#1169806)

• Previously, after the user ran the "getcert list" command, the output included the PIN value if it was set for the certificate. Consequently, the user could unintentionally expose the PIN, for example by publicly sharing the output of the command. With this update, the "getcert list" output only contains a note that a PIN is set for the certificate. As a result, the PIN value itself is no longer displayed in the "getcert list" output. (BZ#1222595)

Users of certmonger are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Updated Packages

• certmonger-debuginfo-0.77.5-1.el6.x86_64.rpm
• certmonger-0.77.5-1.el6.x86_64.rpm
• certmonger-0.77.5-1.el6.s390x.rpm
• certmonger-0.77.5-1.el6.ppc64.rpm
• certmonger-0.77.5-1.el6.src.rpm
• certmonger-0.77.5-1.el6.i686.rpm
• certmonger-debuginfo-0.77.5-1.el6.ppc64.rpm
• certmonger-debuginfo-0.77.5-1.el6.s390x.rpm
• certmonger-debuginfo-0.77.5-1.el6.i686.rpm

Fixes

• This content is not included.BZ - 1144082
• This content is not included.BZ - 1161768
• This content is not included.BZ - 1163023
• This content is not included.BZ - 1178190
• This content is not included.BZ - 1219643
• This content is not included.BZ - 1222595

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at Security Contacts and Procedures.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.