Thanks, Rob. Here are the outputs:
certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
DOMAIN.COM IPA CA CTu,Cu,Cu
getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
Number of certificates and requests being tracked: 9.
Request ID '20201221144720':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=DOMAIN.COM
subject: CN=Certificate
Authority,O=DOMAIN.COM
expires: 2040-12-21 06:51:45 EST
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
The other thing I tried was ipa-server-upgrade, which does resolve the 2nd
failure. It adds the missing tracking. However, if I run ipa-certupdate
after that, the error appears again. It appears that ipa-certupdate clears
it. One thing worth mentioning is that I had run ipa-cacert-manage renew
earlier. Is this related to it somehow ? I'm not entirely sure why there
are two certificates with two serial numbers. They both have the same
validity dates, only different times. One is off by 1 hour.
On Mon, Dec 21, 2020 at 10:53 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
Prasun Gera via FreeIPA-users wrote:
> I'm seeing the following two errors on running ipahealthcheck. This is
> on an up to date RHEL 8.3 system in a 2 server topology with self signed
CA.
>
>
DOMAIN.COM <
http://DOMAIN.COM> IPA CA not found, assuming 3rd party
>
DOMAIN.COM <
http://DOMAIN.COM> IPA CA not found, assuming 3rd party
I'd need to see the output of certutil -L -d /etc/pki/pki-tomcat/alias/
An expected nickname was not present either in the database or in CS.cfg.
> [
> {
> "source": "pki.server.healthcheck.meta.csconfig",
> "check": "CADogtagCertsConfigCheck",
> "result": "ERROR",
> "uuid": "da820035-6955-436f-9bf5-bde578b27920",
> "when": "20201221130025Z",
> "duration": "0.172261",
> "kw": {
> "key": "ca_signing",
> "nickname": "caSigningCert cert-pki-ca",
> "directive": "ca.signing.cert",
> "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
> "msg": "Certificate 'caSigningCert cert-pki-ca' does
not match the
> value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
> }
> },
You may be right, perhaps the dogtag checker doesn't check all values of
the certificate. I'd suggest opening an issue at
https://github.com/dogtagpki/pki
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertTracking",
> "result": "ERROR",
> "uuid": "cfba0bf1-4e4b-40d6-9d26-455bab9c9057",
> "when": "20201221130027Z",
> "duration": "0.307626",
> "kw": {
> "key": "cert-database=/etc/pki/pki-tomcat/alias,
> cert-nickname=caSigningCert cert-pki-ca,
> ca-name=dogtag-ipa-ca-renew-agent,
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> \"caSigningCert cert-pki-ca\", template-profile=caCACert",
> "msg": "Missing tracking for
> cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert
> cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> \"caSigningCert cert-pki-ca\", template-profile=caCACert"
> }
> },
> ...
> ]
The tracking may differ from what is expected. I'd need to see the
output of: getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert
cert-pki-ca'
rob
> 1. This is with a self-signed CA. So I don't know why it has that
> assuming 3rd party message.
> 2. I think this has something to do with the fact
> that /etc/pki/pki-tomcat/alias/ has two certs under the nickname
> of "caSigningCert cert-pki-ca", (one for each of the masters I
> presume), but somehow only 1 cert is tracked in other parts of the
> infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg lists a
> single certificate under ca.signing.cert and there is also a single
> entry in LDAP (which is the same as CS.cfg). Is something broken in
> my setup ?
>
> Thanks,
> Prasun
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>