On 12/21/19 1:49 PM, Alex Corcoles via FreeIPA-users wrote:
Hi,
I'm monitoring using ipa-healthcheck and I just started getting:
$ sudo ipa-healthcheck --severity CRITICAL --severity ERROR --failures-only
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
[
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "RA agent description does not match 2;44;CN=Certificate
Authority,O=IPA.PDP7.NET <
http://IPA.PDP7.NET>;CN=IPA RA,O=IPA.PDP7.NET
<
http://IPA.PDP7.NET> in LDAP and 2;7;CN=Certificate
Authority,O=IPA.PDP7.NET <
http://IPA.PDP7.NET>;CN=IPA RA,O=IPA.PDP7.NET
<
http://IPA.PDP7.NET> expected",
"got": "2;44;CN=Certificate
Authority,O=IPA.PDP7.NET
<
http://IPA.PDP7.NET>;CN=IPA RA,O=IPA.PDP7.NET <
http://IPA.PDP7.NET>",
"expected": "2;7;CN=Certificate
Authority,O=IPA.PDP7.NET
<
http://IPA.PDP7.NET>;CN=IPA RA,O=IPA.PDP7.NET <
http://IPA.PDP7.NET>"
},
"uuid": "0bfa6af6-5dd9-4505-89dc-a733060042a4",
"duration": "0.037322",
"when": "20191221123847Z",
"check": "IPARAAgent",
"result": "ERROR"
},
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Request for certificate failed, Certificate operation
cannot be completed: EXCEPTION (Invalid Credential.)",
"key": "20181108202133"
},
"uuid": "bd04fd67-7b3e-4d2f-a87e-ff15563808e0",
"duration": "0.491949",
"when": "20191221123848Z",
"check": "IPACertRevocation",
"result": "ERROR"
},
... the second one is repeated a bunch of times. If I go into the
replica web UI to check cert 7, I get very much the same error:
An error has occurred (IPA Error 4301: CertificateOperationError)
Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
However, if I go to the first IPA server I created, I can view the cert
normally. How should I proceed?
Hi,
this means that the RA agent cert was renewed on the master (which is
probably your CA renewal master), but the new cert was not properly
downloaded/updated on the replicas.
1. Check which master is the CA renewal master with
$ ipa config-show | grep renewal
IPA CA renewal master: <hostname>
2. On the renewal master found above, check the RA agent cert serial
number. Depending on your version of IPA, it is either in
/var/lib/ipa/ra-agent.pem (IPA 4.5+) or in the NSS database
/etc/httpd/alias/
$ certutil -L -d /etc/httpd/alias/ -n ipaCert | grep Serial
Serial Number: 7 (0x7)
or
$ openssl x509 -noout -serial -in /var/lib/ipa/ra-agent.pem
serial=07
Note the serial number and compare with the content of the LDAP entry
uid=ipara,ou=people,o=ipaca:
$ ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca
-LLL -o ldif-wrap=no dn description usercertificate
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA
RA,O=DOMAIN.COM
usercertificate:: MIIDyD...
The description attribute must have the format
"2;<serial>;<issuer>;<subject>" and the userCertificate value
must be
the same as the RA agent cert. If it's not the case, you need to perform
a ldapmodify in order to fix this issue.
3. On the other replicas, check that the replication is OK and that the
entry uid=ipara,ou=people,o=ipaca has been properly updated. If it's not
the case, you will need to fix replication first.
4. On the other replicas, check that the certificate has been properly
installed in the NSS database /etc/httpd/alias/ or in
/var/lib/ipa/ra-agent.pem.
If it's not the case, you can manually install the cert or call getcert
resubmit -i <ID of the tracking for RA agent>
Make sure that the request completed successfully with
$ getcert list -i <ID>
(the status must be: MONITORING)
The ID can be found with:
getcert list -f /var/lib/ipa/ra-agent.pem
or
getcert list -n ipaCert
HTH,
flo
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_)
http://alex.corcoles.net/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...