Ubuntu
certmonger package

certmonger processes turn into zombies on start

Bug #1509484 reported by Marlin Cremers on 2015-10-23

16

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	certmonger (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Certmonger processes being started immediately turn into zombies.

Certmonger has been set-up through the FreeIPA installer if that helps.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: certmonger 0.78.4-1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu3
Architecture: amd64
Date: Fri Oct 23 21:12:19 2015
InstallationDate: Installed on 2015-09-02 (50 days ago)
InstallationMedia: Ubuntu-Server 15.04 "Vivid Vervet" - Release amd64 (20150422)
SourcePackage: certmonger
UpgradeStatus: Upgraded to wily on 2015-10-23 (0 days ago)

Tags:

Revision history for this message

Marlin Cremers (marlinc) wrote on 2015-10-23:

#1

Dependencies.txt Edit (2.8 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (297 bytes, text/plain; charset="utf-8")

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-01-21:

#2

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in certmonger (Ubuntu):
status:	New → Confirmed

Alberto Salvia Novella (es20490446e) on 2016-01-23

Changed in certmonger (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2016-04-18:

#3

this should be fixed in xenial..

Changed in certmonger (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

moritz.kuehner (moritz-kuehner) wrote on 2016-04-18:

#4

It is not! I still have 39 zombies right now. At least it is not fixed in certmonger 0.78.6-3.

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2016-04-18:

#5

What does 'getcert list-cas' say? I guess the zombies were due to ipa-client-install bugs or such, and could be you need to fix things manually...

Revision history for this message

moritz.kuehner (moritz-kuehner) wrote on 2016-04-19:

#6

CA 'SelfSign':
is-default: no
ca-type: INTERNAL:SELF
next-serial-number: 01
CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
CA 'certmaster':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/lib/x86_64-linux-gnu/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/lib/x86_64-linux-gnu/certmonger/local-submit
CA 'dogtag-ipa-ca-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit

>and could be you need to fix things manually...
How? I mean I don't even know what the problem was/is.

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2016-04-19:

#7

the helper locations are wrong, the prefix should be /usr/lib/certmonger

two ways to fix:
1) shutdown certmonger, edit /var/lib/certmonger/cas/* to use correct paths
2) use 'getcert modify-ca' to edit the paths

Revision history for this message

moritz.kuehner (moritz-kuehner) wrote on 2016-04-19:

#8

thanks, I was able to fix the paths of the helpers and now certmonger is indeed not spawning a zombie army anymore.

Point of note to others:
Some of the helpers are in '/usr/lib/x86_64-linux-gnu/certmonger/' some in '/usr/lib/certmonger/' just use locate to find them.

So I can now say this bug is indeed fixed. Thanks to Timo

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2016-04-19:

#9

if you're on uptodate xenial the helpers should all be in /usr/lib/certmonger..

Revision history for this message

Harri-afaics (harri-afaics) wrote on 2018-01-04:

#10

I am affected by this problem, too (using certmonger 0.78.6-4 and freeipa 4.4.4-1+b1 on Stretch). The paths are different, though: getcert lists helper paths in /usr/lib/x86_64-linux-gnu/certmonger, but they can be found in /usr/lib/certmonger.

What would you suggest to fix this problem for >120 hosts and to avoid it for future client installations?

Revision history for this message

Harri-afaics (harri-afaics) wrote on 2018-01-04:

#11

PS: It seems that this was broken by a previous certmonger/ipaclient installation. If I setup a new host using certmonger 0.78.6-4 and freeipa 4.4.4-1+b1, then there are no zombies.

I think thats fine.

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2018-01-04:

#12

yes, I was afraid to mangle the helpers in /var/lib/certmonger/cas/* in postinst, so old installations remain broken unless fixed by hand..

Revision history for this message

Harri-afaics (harri-afaics) wrote on 2018-01-04:

#13

I think that this problem should still be fixed. Having a zombie instead of a syslog entry is not very nice. "systemctl status certmonger" did not indicate any problem, even though the certificates were not updated (if I got this correctly).

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.