Hello,
How or what does it use to compare with?
I see a cert in the nssdb with the correct nickname.
certutil -L -d /etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
host/idm2.x.y u,u,u
I also see the other side of the same coin....
getcert list -c IPA | grep -A15 20191122115414
Request ID '20191122115414':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='host/idm2.x.y',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='host/idm2.x.y',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=X.Y
subject: CN=idm2.x.y,O=X.Y
expires: 2021-11-22 11:54:15 UTC
principal name: host/idm2.x.y(a)X.Y
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Not sure that I want to delete either.
Thanks!
David Patterson
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Monday, January 11, 2021 11:07 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Patterson, David <dpatte(a)sandia.gov>
Subject: [EXTERNAL] Re: [Freeipa-users] ipa healthcheck issue
Patterson, David via FreeIPA-users wrote:
Hello,
Â
Running RHEL 7.9, ipa 4.6.8-5 and freeipa-healthcheck 0.3-2 backported
for RHEL 7.
Â
Ipa healthcheck output
[
 {
   "source": "ipahealthcheck.ipa.certs",
   "kw": {
     "msg": "Unable to retrieve cert 'host/idm2.X.Y' from
'/etc/pki/nssdb': Failed to get host/idm2.X.Y",
     "nickname": "host/idm2.X.Y",
     "dbdir": "/etc/pki/nssdb",
     "key": "20191122115414",
     "error": "Failed to get host/idm2.X.Y"
   },
   "uuid": "64d9b118-e588-4dbb-99e1-6ef11e495ed5",
   "duration": "0.382404",
   "when": "20210107005140Z",
   "check": "IPACertfileExpirationCheck",
   "result": "ERROR"
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "kw": {
     "msg": "Unknown certmonger id 20191122115414",
     "key": "20191122115414"
   },
   "uuid": "1b4bba70-08e0-43dc-8984-657cc47fd339",
   "duration": "1.109733",
   "when": "20210107005142Z",
   "check": "IPACertTracking",
   "result": "WARNING"
 }
]
Â
How do I correct these issues?
They are two sides of the same coin. You have an unknown certificate request being tracked
by certmonger.
In this case the nickname host/idm2.X.Y in /etc/pki/nssdb.
Looks like there isn't a nickname with this value in that NSS database which explains
the first error.
I suspect that someone did some manual tracking changes and got this one wrong. It
isn't something that IPA would have configured.
Is it safe to delete this tracking request? Probably. But I'd double and triple check
before doing so. Its unclear what the original purpose of creating it was.
rob