Prasun Gera via FreeIPA-users wrote:
I'm seeing the following two errors on running ipahealthcheck.
This is
on an up to date RHEL 8.3 system in a 2 server topology with self signed CA.
DOMAIN.COM <
http://DOMAIN.COM> IPA CA not found, assuming 3rd party
DOMAIN.COM <
http://DOMAIN.COM> IPA CA not found, assuming 3rd party
I'd need to see the output of certutil -L -d /etc/pki/pki-tomcat/alias/
An expected nickname was not present either in the database or in CS.cfg.
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "da820035-6955-436f-9bf5-bde578b27920",
"when": "20201221130025Z",
"duration": "0.172261",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not
match the
value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
},
You may be right, perhaps the dogtag checker doesn't check all values of
the certificate. I'd suggest opening an issue at
https://github.com/dogtagpki/pki
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "cfba0bf1-4e4b-40d6-9d26-455bab9c9057",
"when": "20201221130027Z",
"duration": "0.307626",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=caSigningCert cert-pki-ca,
ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"caSigningCert cert-pki-ca\", template-profile=caCACert",
"msg": "Missing tracking for
cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert
cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"caSigningCert cert-pki-ca\", template-profile=caCACert"
}
},
...
]
The tracking may differ from what is expected. I'd need to see the
output of: getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert
cert-pki-ca'
rob
1. This is with a self-signed CA. So I don't know why it has
that
assuming 3rd party message.
2. I think this has something to do with the fact
that /etc/pki/pki-tomcat/alias/ has two certs under the nickname
of "caSigningCert cert-pki-ca", (one for each of the masters I
presume), but somehow only 1 cert is tracked in other parts of the
infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg lists a
single certificate under ca.signing.cert and there is also a single
entry in LDAP (which is the same as CS.cfg). Is something broken in
my setup ?
Thanks,
Prasun
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...