Rob,
I installed the ipa-healthcheck that you got to work on CentOS 7, and run it. Got a couple of errors regarding the RA Agent cert:
[ { "source": "ipahealthcheck.ipa.certs", "kw": { "msg": "Certificate validation for /var/lib/ipa/ra-agent.pem failed: ", "reason": "", "key": "/var/lib/ipa/ra-agent.pem" }, "uuid": "a855346c-4998-4415-a819-ce83048e174e", "duration": "0.100214", "when": "20240404141916Z", "check": "IPAOpenSSLChainValidation", "result": "ERROR" }, { "source": "ipahealthcheck.ipa.certs", "kw": { "msg": "RA agent not found in LDAP" }, "uuid": "b6efdb6c-ca33-4421-bdc5-c449e7d64591", "duration": "0.027569", "when": "20240404141916Z", "check": "IPARAAgent", "result": "ERROR" }
That first error, I'm not sure about what kind of validation it's performing. In my asn.1 output earlier I did include the ra-agent.pem and it looks like it's correctly signed. As far as the "RA agent not found in LDAP", it looks to me like it is, and it matches the cert in /var/lib/ipa/ra-agent.pem
# ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=ipara,ou=people,o=ipaca> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=IPA.****.NET;CN=IPA RA,O=IPA.****.NET userCertificate:: MIID6j...ssifAg== uid: ipara sn: ipara usertype: agentType userstate: 1 objectClass: cmsuser objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: person cn: ipara
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
# cat ra-agent.pem -----BEGIN CERTIFICATE----- MIID6j...ssifAg== -----END CERTIFICATE-----