Travis West via FreeIPA-users wrote:
Rob,
I installed the ipa-healthcheck that you got to work on CentOS 7, and run it. Got a couple of errors regarding the RA Agent cert:
[ { "source": "ipahealthcheck.ipa.certs", "kw": { "msg": "Certificate validation for /var/lib/ipa/ra-agent.pem failed: ", "reason": "", "key": "/var/lib/ipa/ra-agent.pem" }, "uuid": "a855346c-4998-4415-a819-ce83048e174e", "duration": "0.100214", "when": "20240404141916Z", "check": "IPAOpenSSLChainValidation", "result": "ERROR" }, { "source": "ipahealthcheck.ipa.certs", "kw": { "msg": "RA agent not found in LDAP" }, "uuid": "b6efdb6c-ca33-4421-bdc5-c449e7d64591", "duration": "0.027569", "when": "20240404141916Z", "check": "IPARAAgent", "result": "ERROR" }
It runs: openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt /var/lib/ipa/ra-agent.pem
That first error, I'm not sure about what kind of validation it's performing. In my asn.1 output earlier I did include the ra-agent.pem and it looks like it's correctly signed. As far as the "RA agent not found in LDAP", it looks to me like it is, and it matches the cert in /var/lib/ipa/ra-agent.pem
# ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=ipara,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=IPA.****.NET;CN=IPA RA,O=IPA.****.NET userCertificate:: MIID6j...ssifAg== uid: ipara sn: ipara usertype: agentType userstate: 1 objectClass: cmsuser objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: person cn: ipara
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
# cat ra-agent.pem -----BEGIN CERTIFICATE----- MIID6j...ssifAg== -----END CERTIFICATE-----
Watch the 389-ds access log (buffer) while healthcheck runs. You should see the failed search and the reason may be enlightening (or not).
You can also add --debug to the command and may be that will help.
rob