Hi guys.
According to 'ipa-healthcheck' there are lots of problems with my IPA ... "key": "cert-file=/var/lib/ipa/ra-agent.pem, key-file=/var/lib/ipa/ra-agent.key, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/renew_ra_cert_pre, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ra_cert",
"msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate"
... "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca", template-profile=caSignedLogCert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" ... ... { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "1f431916-88ae-4cf0-8dd1-c55914cf3801", "when": "20220315184602Z", "duration": "0.178625", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, ...
'ipa-restore' does not seem to fix anything there. What happens there and more importantly, how to troubleshoot/fix? many thanks, L.
lejeczek via FreeIPA-users wrote:
Hi guys.
According to 'ipa-healthcheck' there are lots of problems with my IPA ... "key": "cert-file=/var/lib/ipa/ra-agent.pem, key-file=/var/lib/ipa/ra-agent.key, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/renew_ra_cert_pre, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ra_cert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate"
... "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca", template-profile=caSignedLogCert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" ... ... { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "1f431916-88ae-4cf0-8dd1-c55914cf3801", "when": "20220315184602Z", "duration": "0.178625", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, ...
'ipa-restore' does not seem to fix anything there.
First, ipa-restore is a last resort and should be used with extreme care. It does things like disable all replication agreements so all other servers need to re-initialize.
What happens there and more importantly, how to troubleshoot/fix?
Not a certmonger problem.
ipa-healthcheck knows what certificates should be tracked by certmonger and some are not showing up. This error is a *GOOD* thing because it's warning you that your CA will break at renewal time if you don't act.
ipa-healthcheck apparently has a bug where it should be throwing an error that tracking is missing altogether, not one with a null key.
ipa-server-upgrade should repair any broken tracking.
rob
freeipa-users@lists.fedorahosted.org