I recently updated my system. I am now at version 4.9.11. After the update I noticed the following output from healthcheck.
# ipa-healthcheck ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6f0000001f2421fafd6722322500000000001f not found (404) [ { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConnectivityCheck", "result": "ERROR", "uuid": "8a663c7d-77f9-4739-8029-c401b113fa5e", "when": "20231003134004Z", "duration": "0.093615", "kw": { "key": "cert_show_1", "error": "Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6f0000001f2421fafd6722322500000000001f not found (404)", "serial": "2475382717198593230277736537855912919378690079", "msg": "Serial number not found: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "WARNING", "uuid": "3c183bb0-bffc-403a-9899-a59a4d29750b", "when": "20231003134009Z", "duration": "1.819175", "kw": { "key": "20230901185953", "msg": "certmonger tracking request {key} found and is not expected on an IPA master." } } ]
If I am understanding correctly it looks like the error is for a certificate that it cannot find. I have several questions here.
#1 What cert is the system looking for? #2 How do I correct the error issue? #3 Is the warning the result of the error? -ie are the issues related to each other? #4 If the warning is not the result of the error, how do I correct that?
Thanks for your input.
Jeremy Tourville via FreeIPA-users wrote:
I recently updated my system. I am now at version 4.9.11. After the update I noticed the following output from healthcheck.
# ipa-healthcheck ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6f0000001f2421fafd6722322500000000001f not found (404) [ { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConnectivityCheck", "result": "ERROR", "uuid": "8a663c7d-77f9-4739-8029-c401b113fa5e", "when": "20231003134004Z", "duration": "0.093615", "kw": { "key": "cert_show_1", "error": "Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6f0000001f2421fafd6722322500000000001f not found (404)", "serial": "2475382717198593230277736537855912919378690079", "msg": "Serial number not found: {error}" } },
Is this an externally-signed CA? There was a bug in healthcheck that didn't take this case into account. What version of healthcheck do you have?
{ "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "WARNING", "uuid": "3c183bb0-bffc-403a-9899-a59a4d29750b", "when": "20231003134009Z", "duration": "1.819175", "kw": { "key": "20230901185953", "msg": "certmonger tracking request {key} found and is not expected on an IPA master." } } ]
You need to see what this tracking request is. It may be perfectly valid for your setup, it just isn't an expected cert: getcert list -i "20230901185953",
rob
Is this an externally-signed CA?
Yes
What version of healthcheck do you have?
0.12-1
I *think* from what I am seeing this cert is valid. Can you confirm?
# getcert list -i "20230901185953" Number of certificates and requests being tracked: 10. Request ID '20230901185953': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IDM.EXAMPLE.ORG subject: CN=EXAMPLE-CA,DC=example,DC=org issued: 2023-04-05 12:54:46 CDT expires: 2038-01-06 09:20:42 CST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb" track: yes auto-renew: yes
If we both agree this cert is valid, how to I clear the warning message from healthcheck?
Jeremy Tourville via FreeIPA-users wrote:
Is this an externally-signed CA?
Yes
What version of healthcheck do you have?
0.12-1
I *think* from what I am seeing this cert is valid. Can you confirm?
# getcert list -i "20230901185953" Number of certificates and requests being tracked: 10. Request ID '20230901185953': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb',token='NSS FIPS 140-2 Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IDM.EXAMPLE.ORG subject: CN=EXAMPLE-CA,DC=example,DC=org issued: 2023-04-05 12:54:46 CDT expires: 2038-01-06 09:20:42 CST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca cf8380c3-8e91-4bbb-9d29-924cea7134eb" track: yes auto-renew: yes
This is a sub CA. These are not validated by healthcheck.
If we both agree this cert is valid, how to I clear the warning message from healthcheck?
See the EXCLUDES section in ipahealthcheck.conf(5)
rob
freeipa-users@lists.fedorahosted.org