Rob,
I installed the ipa-healthcheck that you got to work on CentOS 7, and run it. Got a
couple of errors regarding the RA Agent cert:
[
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Certificate validation for /var/lib/ipa/ra-agent.pem failed:
",
"reason": "",
"key": "/var/lib/ipa/ra-agent.pem"
},
"uuid": "a855346c-4998-4415-a819-ce83048e174e",
"duration": "0.100214",
"when": "20240404141916Z",
"check": "IPAOpenSSLChainValidation",
"result": "ERROR"
},
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "RA agent not found in LDAP"
},
"uuid": "b6efdb6c-ca33-4421-bdc5-c449e7d64591",
"duration": "0.027569",
"when": "20240404141916Z",
"check": "IPARAAgent",
"result": "ERROR"
}
That first error, I'm not sure about what kind of validation it's performing. In
my asn.1 output earlier I did include the ra-agent.pem and it looks like it's
correctly signed.
As far as the "RA agent not found in LDAP", it looks to me like it is, and it
matches the cert in /var/lib/ipa/ra-agent.pem
# ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=ipara,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=IPA.****.NET;CN=IPA
RA,O=IPA.****.NET
userCertificate:: MIID6j...ssifAg==
uid: ipara
sn: ipara
usertype: agentType
userstate: 1
objectClass: cmsuser
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
cn: ipara
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# cat ra-agent.pem
-----BEGIN CERTIFICATE-----
MIID6j...ssifAg==
-----END CERTIFICATE-----