Jeremy Tourville via FreeIPA-users wrote:
Is this an externally-signed CA?
Yes
What version of healthcheck do you have?
0.12-1
I *think* from what I am seeing this cert is valid. Can you confirm?
# getcert list -i "20230901185953" Number of certificates and requests being tracked: 10. Request ID '20230901185953': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IDM.EXAMPLE.ORG subject: CN=EXAMPLE-CA,DC=example,DC=org issued: 2023-04-05 12:54:46 CDT expires: 2038-01-06 09:20:42 CST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb" track: yes auto-renew: yes
This is a sub CA. These are not validated by healthcheck.
If we both agree this cert is valid, how to I clear the warning message from healthcheck?
See the EXCLUDES section in ipahealthcheck.conf(5)
rob