Thanks, Rob.
Didint notice you wrote and I tried things on my own. Was kinda thinking of doomsday
scenario :)
I think it is similar issue to
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
For better or worse tried upgrading, now I can login into webui.
ipa VERSION: 4.9.6, API_VERSION: 2.242
Currently everything still works, but how broken you think installation is and if it is
possible(reasonably) to recover it or it would be better to start over?
This shows it is revoked but..
ipa cert-show 1
Issuing CA: ipa
Subject: CN=Certificate Authority,O=INT.O4.LT
Issuer: CN=Certificate Authority,O=INT.O4.LT
Not Before: Mon Dec 16 13:38:03 2019 UTC
Not After: Fri Dec 16 13:38:03 2039 UTC
Serial number: 1
Serial number (hex): 0x1
Revoked: True
Revocation reason: 0
But now there is new CA after upgrade?
ipa cert-show 35
Issuing CA: ipa
Certificate: (differs from 1)
Subject: CN=Certificate Authority,O=INT.O4.LT
Issuer: CN=Certificate Authority,O=INT.O4.LT
Not Before: Mon Nov 29 16:34:27 2021 UTC
Not After: Fri Nov 29 16:34:27 2041 UTC
Serial number: 35
Serial number (hex): 0x23
Revoked: False
I think actual problem started way back Mar 17 and wasnt noticed.
ipa cert-show 24
Issuing CA: ipa
Certificate:
Subject: CN=localhost
Issuer: CN=Certificate Authority,O=INT.O4.LT
Not Before: Wed Mar 17 11:11:01 2021 UTC
Not After: Sun Mar 17 11:11:01 2041 UTC
Serial number: 24
Serial number (hex): 0x18
Revoked: False
ipa ca-find
-------------
4 CAs matched
-------------
Name: ipa
Description: IPA CA
Authority ID: e5f13d9b-c3eb-49e0-9b1f-1a75cdc6a347 (I cant find it in tracked certs
getcert list | grep e5f13d9b-c3eb-49e0-9b1f-1a75cdc6a347)
Subject DN: CN=Certificate Authority,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Name: vpn_user_gs
Description:
Authority ID: 86623fac-5d11-4ac6-9972-ea80ef16f711
Subject DN: CN=VPN_USER_GS,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Name: vpn_user_rb
Description:
Authority ID: 5a1304e3-6e02-44fc-b219-686fcc3d3ded
Subject DN: CN=VPN_USER_RB,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Name: vpn_user_un
Description:
Authority ID: 994b6b1f-6ccf-4b12-a540-d778836c7e80
Subject DN: CN=VPN_USER_UN,O=INT.O4.LT
Issuer DN: CN=Certificate Authority,O=INT.O4.LT
Full log
ipa-healthcheck --failures-only
caSigningCert cert-pki-ca 994b6b1f-6ccf-4b12-a540-d778836c7e80 not found, assuming 3rd
party
caSigningCert cert-pki-ca 5a1304e3-6e02-44fc-b219-686fcc3d3ded not found, assuming 3rd
party
caSigningCert cert-pki-ca 86623fac-5d11-4ac6-9972-ea80ef16f711 not found, assuming 3rd
party
INT.O4.LT IPA CA not found, assuming 3rd party
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "d92e324f-5fb0-45a1-a964-fdceae1041d1",
"when": "20211201172441Z",
"duration": "0.223549",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not
match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "21455b50-3ac5-4bb8-87ef-3ca3bbfb2569",
"when": "20211201172444Z",
"duration": "0.876727",
"kw": {
"key": "20211129180130",
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "0914dc40-c7f9-4db3-b072-d92dd05b429e",
"when": "20211201172444Z",
"duration": "0.876754",
"kw": {
"key": "20211129180131",
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "202718fb-4994-4e53-837e-be73a1c3ff3d",
"when": "20211201172444Z",
"duration": "0.876779",
"kw": {
"key": "20211129180132",
"msg": "certmonger tracking request {key} found and is not expected
on an IPA master."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "3f16bb7e-7dcb-4de9-9963-89920170abff",
"when": "20211201172445Z",
"duration": "0.308078",
"kw": {
"key": "caSigningCert cert-pki-ca
994b6b1f-6ccf-4b12-a540-d778836c7e80",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca
994b6b1f-6ccf-4b12-a540-d778836c7e80",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got}
expected {expected}."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "268fbc88-6fa0-4707-9fde-f78082d9a81b",
"when": "20211201172445Z",
"duration": "0.308140",
"kw": {
"key": "caSigningCert cert-pki-ca
5a1304e3-6e02-44fc-b219-686fcc3d3ded",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca
5a1304e3-6e02-44fc-b219-686fcc3d3ded",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got}
expected {expected}."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "946c376d-b1f0-441e-827a-2e025d02f890",
"when": "20211201172445Z",
"duration": "0.308171",
"kw": {
"key": "caSigningCert cert-pki-ca
86623fac-5d11-4ac6-9972-ea80ef16f711",
"expected": "CTu,Cu,Cu",
"got": "u,u,u",
"nickname": "caSigningCert cert-pki-ca
86623fac-5d11-4ac6-9972-ea80ef16f711",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got}
expected {expected}."
}
},
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "ERROR",
"uuid": "0d2e4acf-70ea-4fbd-ab13-88098c92381d",
"when": "20211201172445Z",
"duration": "0.114263",
"kw": {
"key": "caSigningCert cert-pki-ca",
"nickname": "caSigningCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "{nickname} certificate in NSS DB {dbdir} does not match entry
in LDAP"
}
}