Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate renewal might fail on a second renewal #17510

Closed
roperzh opened this issue Mar 8, 2024 · 2 comments
Closed

Certificate renewal might fail on a second renewal #17510

roperzh opened this issue Mar 8, 2024 · 2 comments
Labels
bug Something isn't working as documented bug-mac-enrollment Defect in Mac enrollment. #g-mdm MDM product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.

Comments

@roperzh
Copy link
Member

roperzh commented Mar 8, 2024

Fleet version: 4.46.x

💥  Actual behavior

I forced a certificate renewal twice on the same device and got the following error in the server logs:

fiVUEe/GW+aMcWLb4UroPq+651AJDH5cGdA==" err="running job" details="sending InstallProfile command for hosts [{419D46EC-06E6-557C-AD52-601BA0667730 4e3981886c9ee236f8557ae912feccecd85d792721c825a3ce66d4d55cb55e31  } {419D46EC-06E6-557C-AD52-601BA0667730 555e7d9699306b46c204431df2a6f54aecb4c311dcae5e14b054bd217469d6ec  }]: commander install profile: enqueuing command: Error 1062 (23000): Duplicate entry '419D46EC-06E6-557C-AD52-601BA0667730-61bfc4af-e3fe-458e-a77b-b0d' for key 'PRIMARY'" jobID=renew_scep_certificates

🧑‍💻  Steps to reproduce

  1. Pick a macOS host with MDM features turned on and grab its uuid
  2. Force a certificate renewal
  3. Wait until the cert renewal succeeds
  4. Force a certificate renewal, observe error in fleet server logs

How to force a certificate renewal

In MySQL:

update nano_cert_auth_associations set cert_not_valid_after = CURDATE() + INTERVAL 1 DAY where id = "HOST_UUID_HERE";

In a terminal:

fleetctl trigger --name cleanups_then_aggregation
@roperzh roperzh added bug Something isn't working as documented :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release. #g-mdm MDM product group bug-mac-enrollment Defect in Mac enrollment. labels Mar 8, 2024
@roperzh
Copy link
Member Author

roperzh commented Mar 8, 2024

closing as this was happening due to the way I was forcing the renewal

@roperzh roperzh closed this as completed Mar 8, 2024
@fleet-release
Copy link
Contributor

Renewal may fail twice,
Fleet's seamless fix will bring peace,
Secure device, no strife.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working as documented bug-mac-enrollment Defect in Mac enrollment. #g-mdm MDM product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Milestone
No milestone
Development

No branches or pull requests
2 participants
@roperzh @fleet-release