New subject: ipa-healthcheck: a replica says "RA agent description does not match", ""Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)"

Saturday, 21 December 2019

Hi,

I'm monitoring using ipa-healthcheck and I just started getting:

$ sudo ipa-healthcheck --severity CRITICAL --severity ERROR --failures-only
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
[
  {
    "source": "ipahealthcheck.ipa.certs",
    "kw": {
      "msg": "RA agent description does not match 2;44;CN=Certificate
Authority,O=IPA.PDP7.NET;CN=IPA RA,O=IPA.PDP7.NET in LDAP and
2;7;CN=Certificate Authority,O=IPA.PDP7.NET;CN=IPA RA,O=IPA.PDP7.NET
expected",
      "got": "2;44;CN=Certificate Authority,O=IPA.PDP7.NET;CN=IPA RA,O=
IPA.PDP7.NET",
      "expected": "2;7;CN=Certificate Authority,O=IPA.PDP7.NET;CN=IPA
RA,O=
IPA.PDP7.NET"
    },
    "uuid": "0bfa6af6-5dd9-4505-89dc-a733060042a4",
    "duration": "0.037322",
    "when": "20191221123847Z",
    "check": "IPARAAgent",
    "result": "ERROR"
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "kw": {
      "msg": "Request for certificate failed, Certificate operation cannot
be completed: EXCEPTION (Invalid Credential.)",
      "key": "20181108202133"
    },
    "uuid": "bd04fd67-7b3e-4d2f-a87e-ff15563808e0",
    "duration": "0.491949",
    "when": "20191221123848Z",
    "check": "IPACertRevocation",
    "result": "ERROR"
  },

... the second one is repeated a bunch of times. If I go into the replica
web UI to check cert 7, I get very much the same error:

An error has occurred (IPA Error 4301: CertificateOperationError)
Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)

However, if I go to the first IPA server I created, I can view the cert
normally. How should I proceed?

Cheers,

Álex

-- 
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/

2024

2023

2022

2021

2020

2019

2018

2017

ipa-healthcheck: a replica says "RA agent description does not match", ""Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)"