Hi, Rob.
Just to be clear: we get the same error on all three IPA servers in the domain when
running health-check. All three are CA servers, and one is the renewal master. We should
run ipa-server-upgrade on all three?
Thanks,
Scott.
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Monday, April 5, 2021 12:51 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Dungan, Scott A. <sdungan(a)caltech.edu>
Subject: Re: [Freeipa-users] ipa-healthcheck error
Dungan, Scott A. via FreeIPA-users wrote:
When running a ipa-healthcheck we are seeing one "ERROR"
condition
under the ipahealthcheck.ipa.certs section:
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "df8e46a4-427b-4b40-8db8-e09633d6d903",
"when": "20210405174840Z",
"duration": "1.014180",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=caSigningCert cert-pki-ca,
ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"caSigningCert cert-pki-ca\", template-profile=caCACert",
"msg": "Missing tracking for
cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert
cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"caSigningCert cert-pki-ca\", template-profile=caCACert"
}
},
I am not sure what to do about this or where to look for more
information. Any help pointing me in the right direction would be much
appreciated.
This means that you have a CA configured on the server but the IPA CA signing cert
isn't tracked by certmonger. Running ipa-server-upgrade should fix it.
rob