Hi all,
Sorry I didn't keep track of this more accurately. Some time ago, the ipa-healthcheck service started failing (September 23rd, I think). I took a look, and IIRC, it said something like some certs were about to expire. I ignored that (because they renew automatically?). But then I checked some time after that, and ipa-healthcheck started reporting:
[ { "source": "pki.server.healthcheck.meta.csconfig", "check": "CADogtagCertsConfigCheck", "result": "ERROR", "uuid": "af584c7d-6288-4848-acf8-9e59946e298b", "when": "20231004180708Z", "duration": "0.093486", "kw": { "key": "ca_audit_signing", "nickname": "auditSigningCert cert-pki-ca", "directive": "ca.audit_signing.cert", "configfile": "/etc/pki/pki-tomcat/ca/CS.cfg", "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg" } }, { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConfigCheck", "result": "ERROR", "uuid": "94d21af1-63d1-4bc8-80ff-dc974b3bafc2", "when": "20231004180708Z", "duration": "0.401906", "kw": { "key": "auditSigningCert cert-pki-ca", "directive": "ca.audit_signing.cert", "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the value of ca.audit_signing.cert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg" } } ]
I suppose the automatic renewal process went awry? I have seen messages on this list with similar errors, but the path forward does not seem clear to me.
I'm running:
ipa-healthcheck-0.12-1.el9.noarch ipa-healthcheck-core-0.12-1.el9.noarch ipa-server-4.10.1-9.el9_2.x86_64
Coincidentally, some updates went out around those dates:
2023-08-26T06:56:04+0000 SUBDEBUG Upgraded: ipa-server-dns-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-7.el9_2.x86_64 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipaserver-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-7.el9_2.x86_64 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipaclient-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipalib-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-server-common-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-client-common-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-7.el9_2.noarch 2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: ipa-server-dns-4.10.1-8.el9_2.noarch 2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-8.el9_2.x86_64 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipaserver-4.10.1-8.el9_2.noarch 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-8.el9_2.x86_64 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipaclient-4.10.1-8.el9_2.noarch 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipalib-4.10.1-8.el9_2.noarch 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-8.el9_2.noarch 2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-server-common-4.10.1-8.el9_2.noarch 2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-client-common-4.10.1-8.el9_2.noarch 2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-8.el9_2.noarch
Any thoughts?
Thanks,
Álex