12:48 p.m.
ipa --version
VERSION: 4.8.7
So I have no idea what actually happened, but today I cant login into freeipa webui.
There is 3 instances on 2 and 3rd I can login. Sync is on and working.
I noticed that in webui it shows that first certificate
CN=Certificate Authority,O=xx ipa REVOKED
Obviously I didint revoke it.
ipa-getcert list shows only two certificates and noone is master
getcert list shows more and
this is master cert as you can see server was installed ~2 years ago.
Request ID '20201218102240':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=xxx
subject: CN=Certificate Authority,O=xxx
expires: 2039-12-16 13:38:03 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
CN=localhost... :facepalm:
This is I guess new(not really) and probably this was tickint time bomb for quite some
time.
Request ID '20210317111052':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09',token='NSS Certificate
DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.O4.LT
subject: CN=localhost
expires: 2041-03-17 11:11:01 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09"
track: yes
auto-renew: yes
I have bad feeling that it is because hosts file is not cleared from localhost entries?
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
ipa-healthcheck complainas about
this is SUBCA caSigningCert cert-pki-ca 86623fac-5d11-4ac6-9972-ea80ef16f711 not found,
assuming 3rd party
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "a77e06d1-ee90-4574-8c68-750ec3f5d6bd",
"when": "20211124184538Z",
"duration": "0.366900",
"kw": {
"key": "20210317111052",
"dbdir": "/etc/pki/pki-tomcat/alias",
"nickname": "caSigningCert cert-pki-ca
bd372c7d-62d0-469d-a107-da3b5a782c09",
"error": "Failed to get caSigningCert cert-pki-ca
bd372c7d-62d0-469d-a107-da3b5a782c09",
"msg": "Unable to retrieve cert 'caSigningCert cert-pki-ca
bd372c7d-62d0-469d-a107-da3b5a782c09' from '/etc/pki/pki-tomcat/alias': Failed
to get caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "c8e78e6d-794c-41cb-a12f-f57d0dda23d6",
"when": "20211124184538Z",
"duration": "0.416846",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCer
t cert-pki-ca\", template-profile=caCACert",
"msg": "Missing tracking for cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_c
a_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert"
}
},
and more
question how I can fix this?
12:56 p.m.
New subject: Certificate Authority master cert shows revoked somehow (refresh issue due bad hosts file?)
Andrius Jurkus via FreeIPA-users wrote:
ipa --version
VERSION: 4.8.7
So I have no idea what actually happened, but today I cant login into freeipa webui.
There is 3 instances on 2 and 3rd I can login. Sync is on and working.
I noticed that in webui it shows that first certificate
CN=Certificate Authority,O=xx ipa REVOKED
Obviously I didint revoke it.
If the root CA really is revoked that is quite bad. ipa cert-show 1 will
confirm this and display the reason for revocation.
ipa-getcert list shows only two certificates and noone is master
This is expected. ipa-getcert is short for getcert -c IPA. The CA
certificates are handled by a different certmonger CA helper.
getcert list shows more and
this is master cert as you can see server was installed ~2 years ago.
Request ID '20201218102240':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=xxx
subject: CN=Certificate Authority,O=xxx
expires: 2039-12-16 13:38:03 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
CN=localhost... :facepalm:
This is I guess new(not really) and probably this was tickint time bomb for quite some
time.
Request ID '20210317111052':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09',token='NSS Certificate
DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.O4.LT
subject: CN=localhost
expires: 2041-03-17 11:11:01 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09"
track: yes
auto-renew: yes
This is almost certainly a sub-CA. Try ipa ca-find to see if it is listed.
I have bad feeling that it is because hosts file is not cleared from
localhost entries?
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Not related to the CN.
ipa-healthcheck complainas about
this is SUBCA caSigningCert cert-pki-ca 86623fac-5d11-4ac6-9972-ea80ef16f711 not found,
assuming 3rd party
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "a77e06d1-ee90-4574-8c68-750ec3f5d6bd",
"when": "20211124184538Z",
"duration": "0.366900",
"kw": {
"key": "20210317111052",
"dbdir": "/etc/pki/pki-tomcat/alias",
"nickname": "caSigningCert cert-pki-ca
bd372c7d-62d0-469d-a107-da3b5a782c09",
"error": "Failed to get caSigningCert cert-pki-ca
bd372c7d-62d0-469d-a107-da3b5a782c09",
"msg": "Unable to retrieve cert 'caSigningCert cert-pki-ca
bd372c7d-62d0-469d-a107-da3b5a782c09' from '/etc/pki/pki-tomcat/alias': Failed
to get caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "c8e78e6d-794c-41cb-a12f-f57d0dda23d6",
"when": "20211124184538Z",
"duration": "0.416846",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCer
t cert-pki-ca\", template-profile=caCACert",
"msg": "Missing tracking for
cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca,
ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_c
a_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert"
}
},
and more
question how I can fix this?
What version of ipa-healthcheck? I believe it currently has some minimal
level of support for sub CA's.
rob
11:53 a.m.
New subject: Certificate Authority master cert shows revoked somehow (refresh issue due bad hosts file?)
Thanks, Rob.
Didint notice you wrote and I tried things on my own. Was kinda thinking of doomsday
scenario :)
I think it is similar issue to
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
For better or worse tried upgrading, now I can login into webui.
ipa VERSION: 4.9.6, API_VERSION: 2.242
Currently everything still works, but how broken you think installation is and if it is
possible(reasonably) to recover it or it would be better to start over?
This shows it is revoked but..
ipa cert-show 1
Issuing CA: ipa
Subject: CN=Certificate Authority,O=INT.O4.LT
Issuer: CN=Certificate Authority,O=INT.O4.LT
Not Before: Mon Dec 16 13:38:03 2019 UTC
Not After: Fri Dec 16 13:38:03 2039 UTC
Serial number: 1
Serial number (hex): 0x1
Revoked: True
Revocation reason: 0
But now there is new CA after upgrade?
ipa cert-show 35
Issuing CA: ipa
Certificate: (differs from 1)
Subject: CN=Certificate Authority,O=INT.O4.LT
Issuer: CN=Certificate Authority,O=INT.O4.LT
Not Before: Mon Nov 29 16:34:27 2021 UTC
Not After: Fri Nov 29 16:34:27 2041 UTC
Serial number: 35
Serial number (hex): 0x23
Revoked: False
I think actual problem started way back Mar 17 and wasnt noticed.
ipa cert-show 24
Issuing CA: ipa
Certificate:
Subject: CN=localhost
Issuer: CN=Certificate Authority,O=INT.O4.LT
Not Before: Wed Mar 17 11:11:01 2021 UTC
Not After: Sun Mar 17 11:11:01 2041 UTC
Serial number: 24
Serial number (hex): 0x18
Revoked: False
ipa ca-find
-------------
4 CAs matched
-------------
Name: ipa
Description: IPA CA
Authority ID: e5f13d9b-c3eb-49e0-9b1f-1a75cdc6a347 (I cant find it in tracked certs
getcert list | grep e5f13d9b-c3eb-49e0-9b1f-1a75cdc6a347)
Subject DN: CN=Certificate Authority,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Name: vpn_user_gs
Description:
Authority ID: 86623fac-5d11-4ac6-9972-ea80ef16f711
Subject DN: CN=VPN_USER_GS,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Name: vpn_user_rb
Description:
Authority ID: 5a1304e3-6e02-44fc-b219-686fcc3d3ded
Subject DN: CN=VPN_USER_RB,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Name: vpn_user_un
Description:
Authority ID: 994b6b1f-6ccf-4b12-a540-d778836c7e80
Subject DN: CN=VPN_USER_UN,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Full log
ipa-healthcheck --failures-only
caSigningCert cert-pki-ca 994b6b1f-6ccf-4b12-a540-d778836c7e80 not found, assuming 3rd
party
caSigningCert cert-pki-ca 5a1304e3-6e02-44fc-b219-686fcc3d3ded not found, assuming 3rd
party
caSigningCert cert-pki-ca 86623fac-5d11-4ac6-9972-ea80ef16f711 not found, assuming 3rd
party
INT.O4.LT IPA CA not found, assuming 3rd party
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "d92e324f-5fb0-45a1-a964-fdceae1041d1",
"when": "20211201172441Z",
"duration": "0.223549",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not
match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "21455b50-3ac5-4bb8-87ef-3ca3bbfb2569",
"when": "20211201172444Z",
"duration": "0.876727",
"kw": {
"key": "20211129180130",
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "0914dc40-c7f9-4db3-b072-d92dd05b429e",
"when": "20211201172444Z",
"duration": "0.876754",
"kw": {
"key": "20211129180131",
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "202718fb-4994-4e53-837e-be73a1c3ff3d",
"when": "20211201172444Z",
"duration": "0.876779",
"kw": {
"key": "20211129180132",
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "3f16bb7e-7dcb-4de9-9963-89920170abff",
"when": "20211201172445Z",
"duration": "0.308078",
"kw": {
"key": "caSigningCert cert-pki-ca
994b6b1f-6ccf-4b12-a540-d778836c7e80",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca
994b6b1f-6ccf-4b12-a540-d778836c7e80",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got}
expected {expected}."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "268fbc88-6fa0-4707-9fde-f78082d9a81b",
"when": "20211201172445Z",
"duration": "0.308140",
"kw": {
"key": "caSigningCert cert-pki-ca
5a1304e3-6e02-44fc-b219-686fcc3d3ded",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca
5a1304e3-6e02-44fc-b219-686fcc3d3ded",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got}
expected {expected}."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "946c376d-b1f0-441e-827a-2e025d02f890",
"when": "20211201172445Z",
"duration": "0.308171",
"kw": {
"key": "caSigningCert cert-pki-ca
86623fac-5d11-4ac6-9972-ea80ef16f711",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca
86623fac-5d11-4ac6-9972-ea80ef16f711",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got}
expected {expected}."
}
},
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "ERROR",
"uuid": "0d2e4acf-70ea-4fbd-ab13-88098c92381d",
"when": "20211201172445Z",
"duration": "0.114263",
"kw": {
"key": "caSigningCert cert-pki-ca",
"nickname": "caSigningCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "{nickname} certificate in NSS DB {dbdir} does not match entry
in LDAP"
}
}
1:48 p.m.
New subject: Certificate Authority master cert shows revoked somehow (refresh issue due bad hosts file?)
Andrius Jurkus via FreeIPA-users wrote:
Thanks, Rob.
Didint notice you wrote and I tried things on my own. Was kinda thinking of doomsday
scenario :)
I think it is similar issue to
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
For better or worse tried upgrading, now I can login into webui.
ipa VERSION: 4.9.6, API_VERSION: 2.242
Currently everything still works, but how broken you think installation is and if it is
possible(reasonably) to recover it or it would be better to start over?
It looks to me like someone ran 'ipa-cacert-manage renew' to re-issue
the original CA. This is fine but the pki-provided healthcheck doesn't
handle multiple certs so that explains the CS.cfg error.
The rest are because ipa-healthcheck doesn't handle sub-cas properly.
What the cn=localhost cert is from I have no idea. It sure looks like a
sub-ca. that's pretty much the only way a cert can be issued with a
subject like this, though it's curious it doesn't show up in ca-find.
The IPA-CA is tracked by nickname and not by uuid which is why you don't
see that in the getcert output.
rob
This shows it is revoked but..
ipa cert-show 1
Issuing CA: ipa
Subject: CN=Certificate Authority,O=INT.O4.LT
Issuer: CN=Certificate Authority,O=INT.O4.LT
Not Before: Mon Dec 16 13:38:03 2019 UTC
Not After: Fri Dec 16 13:38:03 2039 UTC
Serial number: 1
Serial number (hex): 0x1
Revoked: True
Revocation reason: 0
But now there is new CA after upgrade?
ipa cert-show 35
Issuing CA: ipa
Certificate: (differs from 1)
Subject: CN=Certificate Authority,O=INT.O4.LT
Issuer: CN=Certificate Authority,O=INT.O4.LT
Not Before: Mon Nov 29 16:34:27 2021 UTC
Not After: Fri Nov 29 16:34:27 2041 UTC
Serial number: 35
Serial number (hex): 0x23
Revoked: False
I think actual problem started way back Mar 17 and wasnt noticed.
ipa cert-show 24
Issuing CA: ipa
Certificate:
Subject: CN=localhost
Issuer: CN=Certificate Authority,O=INT.O4.LT
Not Before: Wed Mar 17 11:11:01 2021 UTC
Not After: Sun Mar 17 11:11:01 2041 UTC
Serial number: 24
Serial number (hex): 0x18
Revoked: False
ipa ca-find
-------------
4 CAs matched
-------------
Name: ipa
Description: IPA CA
Authority ID: e5f13d9b-c3eb-49e0-9b1f-1a75cdc6a347 (I cant find it in tracked certs
getcert list | grep e5f13d9b-c3eb-49e0-9b1f-1a75cdc6a347)
Subject DN: CN=Certificate Authority,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Name: vpn_user_gs
Description:
Authority ID: 86623fac-5d11-4ac6-9972-ea80ef16f711
Subject DN: CN=VPN_USER_GS,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Name: vpn_user_rb
Description:
Authority ID: 5a1304e3-6e02-44fc-b219-686fcc3d3ded
Subject DN: CN=VPN_USER_RB,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Name: vpn_user_un
Description:
Authority ID: 994b6b1f-6ccf-4b12-a540-d778836c7e80
Subject DN: CN=VPN_USER_UN,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Full log
ipa-healthcheck --failures-only
caSigningCert cert-pki-ca 994b6b1f-6ccf-4b12-a540-d778836c7e80 not found, assuming 3rd
party
caSigningCert cert-pki-ca 5a1304e3-6e02-44fc-b219-686fcc3d3ded not found, assuming 3rd
party
caSigningCert cert-pki-ca 86623fac-5d11-4ac6-9972-ea80ef16f711 not found, assuming 3rd
party
INT.O4.LT IPA CA not found, assuming 3rd party
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "d92e324f-5fb0-45a1-a964-fdceae1041d1",
"when": "20211201172441Z",
"duration": "0.223549",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not
match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "21455b50-3ac5-4bb8-87ef-3ca3bbfb2569",
"when": "20211201172444Z",
"duration": "0.876727",
"kw": {
"key": "20211129180130",
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "0914dc40-c7f9-4db3-b072-d92dd05b429e",
"when": "20211201172444Z",
"duration": "0.876754",
"kw": {
"key": "20211129180131",
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "202718fb-4994-4e53-837e-be73a1c3ff3d",
"when": "20211201172444Z",
"duration": "0.876779",
"kw": {
"key": "20211129180132",
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "3f16bb7e-7dcb-4de9-9963-89920170abff",
"when": "20211201172445Z",
"duration": "0.308078",
"kw": {
"key": "caSigningCert cert-pki-ca
994b6b1f-6ccf-4b12-a540-d778836c7e80",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca
994b6b1f-6ccf-4b12-a540-d778836c7e80",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got}
expected {expected}."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "268fbc88-6fa0-4707-9fde-f78082d9a81b",
"when": "20211201172445Z",
"duration": "0.308140",
"kw": {
"key": "caSigningCert cert-pki-ca
5a1304e3-6e02-44fc-b219-686fcc3d3ded",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca
5a1304e3-6e02-44fc-b219-686fcc3d3ded",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got}
expected {expected}."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "946c376d-b1f0-441e-827a-2e025d02f890",
"when": "20211201172445Z",
"duration": "0.308171",
"kw": {
"key": "caSigningCert cert-pki-ca
86623fac-5d11-4ac6-9972-ea80ef16f711",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca
86623fac-5d11-4ac6-9972-ea80ef16f711",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got}
expected {expected}."
}
},
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "ERROR",
"uuid": "0d2e4acf-70ea-4fbd-ab13-88098c92381d",
"when": "20211201172445Z",
"duration": "0.114263",
"kw": {
"key": "caSigningCert cert-pki-ca",
"nickname": "caSigningCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "{nickname} certificate in NSS DB {dbdir} does not match
entry in LDAP"
}
}
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
9:42 a.m.
New subject: Certificate Authority master cert shows revoked somehow (refresh issue due bad hosts file?)
I did run renew CA since it showed as revoked.
Thanks for your time.
875
days inactive
883
days old
freeipa-users@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
Andrius Jurkus -
Rob Crittenden