I'm seeing the following two errors on running ipahealthcheck. This is on an up to date RHEL 8.3 system in a 2 server topology with self signed CA.
DOMAIN.COM IPA CA not found, assuming 3rd party DOMAIN.COM IPA CA not found, assuming 3rd party [ { "source": "pki.server.healthcheck.meta.csconfig", "check": "CADogtagCertsConfigCheck", "result": "ERROR", "uuid": "da820035-6955-436f-9bf5-bde578b27920", "when": "20201221130025Z", "duration": "0.172261", "kw": { "key": "ca_signing", "nickname": "caSigningCert cert-pki-ca", "directive": "ca.signing.cert", "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "cfba0bf1-4e4b-40d6-9d26-455bab9c9057", "when": "20201221130027Z", "duration": "0.307626", "kw": { "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert", "msg": "Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert" } }, ... ] 1. This is with a self-signed CA. So I don't know why it has that assuming 3rd party message. 2. I think this has something to do with the fact that /etc/pki/pki-tomcat/alias/ has two certs under the nickname of "caSigningCert cert-pki-ca", (one for each of the masters I presume), but somehow only 1 cert is tracked in other parts of the infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg lists a single certificate under ca.signing.cert and there is also a single entry in LDAP (which is the same as CS.cfg). Is something broken in my setup ? Thanks, Prasun
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org