Renaming creates a duplicate. There was already a 'caSigningCert
cert-pki-ca' present in the db. Now it shows two entries with the same
nick. This shouldn't happen, right ? Should I delete 'DOMAIN.COM
<
http://domain.com/> IPA CA' instead (after restoring
/etc/pki/pki-tomcat/alias/)? It had the same contents as 'caSigningCert
cert-pki-ca'. Here is what it looks like:
certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
caSigningCert cert-pki-ca CTu,Cu,Cu
I think that ipa-certupdate was adding the other nickname. I believe
this will prevent that.
rob
On Tue, Dec 22, 2020 at 10:22 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Prasun Gera wrote:
> Thanks, Rob. Here are the outputs:
>
> certutil -L -d /etc/pki/pki-tomcat/alias/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> ocspSigningCert cert-pki-ca u,u,u
> caSigningCert cert-pki-ca CTu,Cu,Cu
>
DOMAIN.COM <
http://DOMAIN.COM> <
http://DOMAIN.COM> IPA CA
> CTu,Cu,Cu
That identifies one problem. The nickname that is currently
'DOMAIN.COM <
http://DOMAIN.COM>
IPA CA' should be 'caSigningCert cert-pki-ca'.
To fix:
1. ipa cert-show 1 (output doesn't matter just shouldn't be an error)
2. ipactl stop
3. backup /etc/pki/pki-tomcat/alias/* someplace safe
4. certutil --rename -d /etc/pki/pki-tomcat/alias/ --new-n
'caSigningCert cert-pki-ca' -n 'DOMAIN.COM <
http://DOMAIN.COM> IPA
CA'
5. ipactl start
6. ipa cert-show 1 (again, should return a cert)
> getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert
cert-pki-ca'
> Number of certificates and requests being tracked: 9.
> Request ID '20201221144720':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate
Authority,O=DOMAIN.COM <
http://DOMAIN.COM>
<
http://DOMAIN.COM>
> subject: CN=Certificate
Authority,O=DOMAIN.COM <
http://DOMAIN.COM>
<
http://DOMAIN.COM>
> expires: 2040-12-21 06:51:45 EST
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> profile: caCACert
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
>
> The other thing I tried was ipa-server-upgrade, which does resolve the
> 2nd failure. It adds the missing tracking. However, if I run
> ipa-certupdate after that, the error appears again. It appears that
> ipa-certupdate clears it. One thing worth mentioning is that I had
> run ipa-cacert-manage renew earlier. Is this related to it somehow
? I'm
> not entirely sure why there are two certificates with two serial
> numbers. They both have the same validity dates, only different times.
> One is off by 1 hour.
Interesting. I'm not sure why ipa-certupdate would affect the certmonger
tracking. This may also be failing due to the nickname.
ipa-cacert-manage renews the CA cert. So you renewed your CA, which is
unnecessary this far ahead of expiration. It definitely explains the
dogtag healthcheck issue.
Doing the rename may fix the ipa-certupdate issue.
rob
>
> On Mon, Dec 21, 2020 at 10:53 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> Prasun Gera via FreeIPA-users wrote:
> > I'm seeing the following two errors on running
ipahealthcheck. This is
> > on an up to date RHEL 8.3 system in a 2 server topology with
self
> signed CA.
> >
> >
DOMAIN.COM <
http://DOMAIN.COM> <
http://DOMAIN.COM>
<
http://DOMAIN.COM> IPA CA not
> found, assuming 3rd party
> >
DOMAIN.COM <
http://DOMAIN.COM> <
http://DOMAIN.COM>
<
http://DOMAIN.COM> IPA CA not
> found, assuming 3rd party
>
> I'd need to see the output of certutil -L -d
/etc/pki/pki-tomcat/alias/
>
> An expected nickname was not present either in the database or in
> CS.cfg.
>
> > [
> > {
> > "source":
"pki.server.healthcheck.meta.csconfig",
> > "check": "CADogtagCertsConfigCheck",
> > "result": "ERROR",
> > "uuid":
"da820035-6955-436f-9bf5-bde578b27920",
> > "when": "20201221130025Z",
> > "duration": "0.172261",
> > "kw": {
> > "key": "ca_signing",
> > "nickname": "caSigningCert cert-pki-ca",
> > "directive": "ca.signing.cert",
> > "configfile":
"/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
> > "msg": "Certificate 'caSigningCert
cert-pki-ca' does not
> match the
> > value of ca.signing.cert in
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
> > }
> > },
>
> You may be right, perhaps the dogtag checker doesn't check all
values of
> the certificate. I'd suggest opening an issue at
> https://github.com/dogtagpki/pki
>
> > {
> > "source": "ipahealthcheck.ipa.certs",
> > "check": "IPACertTracking",
> > "result": "ERROR",
> > "uuid":
"cfba0bf1-4e4b-40d6-9d26-455bab9c9057",
> > "when": "20201221130027Z",
> > "duration": "0.307626",
> > "kw": {
> > "key": "cert-database=/etc/pki/pki-tomcat/alias,
> > cert-nickname=caSigningCert cert-pki-ca,
> > ca-name=dogtag-ipa-ca-renew-agent,
> > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> > \"caSigningCert cert-pki-ca\",
template-profile=caCACert",
> > "msg": "Missing tracking for
> > cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=caSigningCert
> > cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
> > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> > \"caSigningCert cert-pki-ca\",
template-profile=caCACert"
> > }
> > },
> > ...
> > ]
>
> The tracking may differ from what is expected. I'd need to see the
> output of: getcert list -d /etc/pki/pki-tomcat/alias/ -n
'caSigningCert
> cert-pki-ca'
>
> rob
>
> > 1. This is with a self-signed CA. So I don't know why it
has that
> > assuming 3rd party message.
> > 2. I think this has something to do with the fact
> > that /etc/pki/pki-tomcat/alias/ has two certs under the
nickname
> > of "caSigningCert cert-pki-ca", (one for each of the
masters I
> > presume), but somehow only 1 cert is tracked in other
parts of the
> > infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
lists a
> > single certificate under ca.signing.cert and there is also a
> single
> > entry in LDAP (which is the same as CS.cfg). Is something
> broken in
> > my setup ?
> >
> > Thanks,
> > Prasun
> >
> > _______________________________________________
> > FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...