Alex Corcoles via FreeIPA-users wrote:
Hi all,
Sorry I didn't keep track of this more accurately. Some time ago, the ipa-healthcheck service started failing (September 23rd, I think). I took a look, and IIRC, it said something like some certs were about to expire. I ignored that (because they renew automatically?). But then I checked some time after that, and ipa-healthcheck started reporting:
I'd start by verifying that the certificates indeed did renew.
[ { "source": "pki.server.healthcheck.meta.csconfig", "check": "CADogtagCertsConfigCheck", "result": "ERROR", "uuid": "af584c7d-6288-4848-acf8-9e59946e298b", "when": "20231004180708Z", "duration": "0.093486", "kw": { "key": "ca_audit_signing", "nickname": "auditSigningCert cert-pki-ca", "directive": "ca.audit_signing.cert", "configfile": "/etc/pki/pki-tomcat/ca/CS.cfg", "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg" } }, { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConfigCheck", "result": "ERROR", "uuid": "94d21af1-63d1-4bc8-80ff-dc974b3bafc2", "when": "20231004180708Z", "duration": "0.401906", "kw": { "key": "auditSigningCert cert-pki-ca", "directive": "ca.audit_signing.cert", "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the value of ca.audit_signing.cert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg" } } ]
I suppose the automatic renewal process went awry? I have seen messages on this list with similar errors, but the path forward does not seem clear to me.
There is some disagreement whether CS.cfg being updated is important or not. The PKI team is looking into this now. If you really want to update it you can get the base64 blob:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -a
Then stop pki-tomcat@pki-tomcatd, update the mentioned blob in CS.cfg, and restart tomcat.
rob
I'm running:
ipa-healthcheck-0.12-1.el9.noarch ipa-healthcheck-core-0.12-1.el9.noarch ipa-server-4.10.1-9.el9_2.x86_64
Coincidentally, some updates went out around those dates:
2023-08-26T06:56:04+0000 SUBDEBUG Upgraded: ipa-server-dns-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-7.el9_2.x86_64 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipaserver-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-7.el9_2.x86_64 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipaclient-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipalib-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-server-common-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-client-common-4.10.1-7.el9_2.noarch 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-7.el9_2.noarch 2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: ipa-server-dns-4.10.1-8.el9_2.noarch 2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-8.el9_2.x86_64 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipaserver-4.10.1-8.el9_2.noarch 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-8.el9_2.x86_64 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipaclient-4.10.1-8.el9_2.noarch 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipalib-4.10.1-8.el9_2.noarch 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-8.el9_2.noarch 2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-server-common-4.10.1-8.el9_2.noarch 2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-client-common-4.10.1-8.el9_2.noarch 2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-8.el9_2.noarch
Any thoughts?
Thanks,
Álex _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue