Thanks, Rob!
On Tue, Jan 5, 2021 at 10:01 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
Prasun Gera via FreeIPA-users wrote:
> Thanks. That has fixed a part of the problem. I did the rename followed
> by ipa-certupdate, which clears the duplicate nickname. It also shows
> only a single value under the nickname now. I don't see the CS.cfg error
> anymore. However, something is still not right with certupdate and
> tracking. After certupdate, I get the tracking error in healthcheck. If
> I do ipa-server-upgrade, it fixes the tracking and also prints this:
> "Missing or incorrect tracking request for certificates:
> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca"
> after which healthcheck reports no errors. Running certupdate brings the
> error back.
To close the loop on this I was able to reproduce this and opened
https://pagure.io/freeipa/issue/8644 . A PR to fix this has been
submitted upstream.
rob
>
> On Wed, Dec 23, 2020 at 10:04 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Prasun Gera via FreeIPA-users wrote:
> > Renaming creates a duplicate. There was already a 'caSigningCert
> > cert-pki-ca' present in the db. Now it shows two entries with the
same
> > nick. This shouldn't happen, right ? Should I delete 'DOMAIN.COM
> <
http://DOMAIN.COM>
> > <
http://domain.com/> IPA CA' instead (after restoring
> > /etc/pki/pki-tomcat/alias/)? It had the same contents
> as 'caSigningCert
> > cert-pki-ca'. Here is what it looks like:
> >
> > certutil -L -d /etc/pki/pki-tomcat/alias/
> >
> > Certificate Nickname Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > Server-Cert cert-pki-ca u,u,u
> > subsystemCert cert-pki-ca u,u,u
> > auditSigningCert cert-pki-ca u,u,Pu
> > ocspSigningCert cert-pki-ca u,u,u
> > caSigningCert cert-pki-ca
CTu,Cu,Cu
> > caSigningCert cert-pki-ca
CTu,Cu,Cu
>
> I think that ipa-certupdate was adding the other nickname. I believe
> this will prevent that.
>
> rob
>
> >
> > On Tue, Dec 22, 2020 at 10:22 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
> >
> > Prasun Gera wrote:
> > > Thanks, Rob. Here are the outputs:
> > >
> > > certutil -L -d /etc/pki/pki-tomcat/alias/
> > >
> > > Certificate Nickname
> Trust
> > > Attributes
> > >
> > > SSL,S/MIME,JAR/XPI
> > >
> > > Server-Cert cert-pki-ca
> u,u,u
> > > subsystemCert cert-pki-ca
> u,u,u
> > > auditSigningCert cert-pki-ca
> u,u,Pu
> > > ocspSigningCert cert-pki-ca
> u,u,u
> > > caSigningCert cert-pki-ca
> CTu,Cu,Cu
> > >
DOMAIN.COM <
http://DOMAIN.COM> <
http://DOMAIN.COM>
> <
http://DOMAIN.COM> IPA CA
> >
> > > CTu,Cu,Cu
> >
> > That identifies one problem. The nickname that is currently
> > 'DOMAIN.COM <
http://DOMAIN.COM> <
http://DOMAIN.COM>
> > IPA CA' should be 'caSigningCert cert-pki-ca'.
> >
> > To fix:
> >
> > 1. ipa cert-show 1 (output doesn't matter just shouldn't be an
> error)
> > 2. ipactl stop
> > 3. backup /etc/pki/pki-tomcat/alias/* someplace safe
> > 4. certutil --rename -d /etc/pki/pki-tomcat/alias/ --new-n
> > 'caSigningCert cert-pki-ca' -n 'DOMAIN.COM
<
http://DOMAIN.COM>
> <
http://DOMAIN.COM> IPA CA'
> > 5. ipactl start
> > 6. ipa cert-show 1 (again, should return a cert)
> >
> > > getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert
> > cert-pki-ca'
> > > Number of certificates and requests being tracked: 9.
> > > Request ID '20201221144720':
> > > status: MONITORING
> > > stuck: no
> > > key pair storage:
> > >
> >
>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> > > cert-pki-ca',token='NSS Certificate DB',pin set
> > > certificate:
> > >
> >
>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> > > cert-pki-ca',token='NSS Certificate DB'
> > > CA: dogtag-ipa-ca-renew-agent
> > > issuer: CN=Certificate
Authority,O=DOMAIN.COM
> <
http://DOMAIN.COM> <
http://DOMAIN.COM>
> > <
http://DOMAIN.COM>
> > > subject: CN=Certificate
Authority,O=DOMAIN.COM
> <
http://DOMAIN.COM> <
http://DOMAIN.COM>
> > <
http://DOMAIN.COM>
> > > expires: 2040-12-21 06:51:45 EST
> > > key usage:
digitalSignature,nonRepudiation,keyCertSign,cRLSign
> > > profile: caCACert
> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > > "caSigningCert cert-pki-ca"
> > > track: yes
> > > auto-renew: yes
> > >
> > > The other thing I tried was ipa-server-upgrade, which does
> resolve the
> > > 2nd failure. It adds the missing tracking. However, if I run
> > > ipa-certupdate after that, the error appears again. It
> appears that
> > > ipa-certupdate clears it. One thing worth mentioning is that
> I had
> > > run ipa-cacert-manage renew earlier. Is this related to it
> somehow
> > ? I'm
> > > not entirely sure why there are two certificates with two
serial
> > > numbers. They both have the same validity dates, only
> different times.
> > > One is off by 1 hour.
> >
> > Interesting. I'm not sure why ipa-certupdate would affect the
> certmonger
> > tracking. This may also be failing due to the nickname.
> >
> > ipa-cacert-manage renews the CA cert. So you renewed your CA,
> which is
> > unnecessary this far ahead of expiration. It definitely
> explains the
> > dogtag healthcheck issue.
> >
> > Doing the rename may fix the ipa-certupdate issue.
> >
> > rob
> >
> > >
> > > On Mon, Dec 21, 2020 at 10:53 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
wrote:
> > >
> > > Prasun Gera via FreeIPA-users wrote:
> > > > I'm seeing the following two errors on running
> > ipahealthcheck. This is
> > > > on an up to date RHEL 8.3 system in a 2 server
> topology with
> > self
> > > signed CA.
> > > >
> > > >
DOMAIN.COM <
http://DOMAIN.COM>
<
http://DOMAIN.COM>
> <
http://DOMAIN.COM>
> > <
http://DOMAIN.COM> IPA CA not
> > > found, assuming 3rd party
> > > >
DOMAIN.COM <
http://DOMAIN.COM>
<
http://DOMAIN.COM>
> <
http://DOMAIN.COM>
> > <
http://DOMAIN.COM> IPA CA not
> > > found, assuming 3rd party
> > >
> > > I'd need to see the output of certutil -L -d
> > /etc/pki/pki-tomcat/alias/
> > >
> > > An expected nickname was not present either in the
> database or in
> > > CS.cfg.
> > >
> > > > [
> > > > {
> > > > "source":
"pki.server.healthcheck.meta.csconfig",
> > > > "check":
"CADogtagCertsConfigCheck",
> > > > "result": "ERROR",
> > > > "uuid":
"da820035-6955-436f-9bf5-bde578b27920",
> > > > "when": "20201221130025Z",
> > > > "duration": "0.172261",
> > > > "kw": {
> > > > "key": "ca_signing",
> > > > "nickname": "caSigningCert
cert-pki-ca",
> > > > "directive":
"ca.signing.cert",
> > > > "configfile":
> "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
> > > > "msg": "Certificate
'caSigningCert cert-pki-ca'
> does not
> > > match the
> > > > value of ca.signing.cert in
> > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
> > > > }
> > > > },
> > >
> > > You may be right, perhaps the dogtag checker doesn't
> check all
> > values of
> > > the certificate. I'd suggest opening an issue at
> > >
https://github.com/dogtagpki/pki
> > >
> > > > {
> > > > "source":
"ipahealthcheck.ipa.certs",
> > > > "check": "IPACertTracking",
> > > > "result": "ERROR",
> > > > "uuid":
"cfba0bf1-4e4b-40d6-9d26-455bab9c9057",
> > > > "when": "20201221130027Z",
> > > > "duration": "0.307626",
> > > > "kw": {
> > > > "key":
"cert-database=/etc/pki/pki-tomcat/alias,
> > > > cert-nickname=caSigningCert cert-pki-ca,
> > > > ca-name=dogtag-ipa-ca-renew-agent,
> > > >
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> > > >
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> > > > \"caSigningCert cert-pki-ca\",
template-profile=caCACert",
> > > > "msg": "Missing tracking for
> > > > cert-database=/etc/pki/pki-tomcat/alias,
> > cert-nickname=caSigningCert
> > > > cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
> > > >
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> > > >
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> > > > \"caSigningCert cert-pki-ca\",
template-profile=caCACert"
> > > > }
> > > > },
> > > > ...
> > > > ]
> > >
> > > The tracking may differ from what is expected. I'd need
> to see the
> > > output of: getcert list -d /etc/pki/pki-tomcat/alias/ -n
> > 'caSigningCert
> > > cert-pki-ca'
> > >
> > > rob
> > >
> > > > 1. This is with a self-signed CA. So I don't know
why
it
> > has that
> > > > assuming 3rd party message.
> > > > 2. I think this has something to do with the fact
> > > > that /etc/pki/pki-tomcat/alias/ has two certs
> under the
> > nickname
> > > > of "caSigningCert cert-pki-ca", (one for
each of
the
> > masters I
> > > > presume), but somehow only 1 cert is tracked in
other
> > parts of the
> > > >
infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> > lists a
> > > > single certificate under ca.signing.cert and there
> is also a
> > > single
> > > > entry in LDAP (which is the same as CS.cfg). Is
> something
> > > broken in
> > > > my setup ?
> > > >
> > > > Thanks,
> > > > Prasun
> > > >
> > > > _______________________________________________
> > > > FreeIPA-users mailing list --
> > freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > To unsubscribe send an email to
> > > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > Fedora Code of Conduct:
> > >
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > >
> > >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>