Prasun Gera via FreeIPA-users wrote:
> I'm seeing the following two errors on running ipahealthcheck. This is
> on an up to date RHEL 8.3 system in a 2 server topology with self signed CA.
>
> DOMAIN.COM <http://DOMAIN.COM> IPA CA not found, assuming 3rd party
> DOMAIN.COM <http://DOMAIN.COM> IPA CA not found, assuming 3rd party
I'd need to see the output of certutil -L -d /etc/pki/pki-tomcat/alias/
An expected nickname was not present either in the database or in CS.cfg.
> [
> {
> "source": "pki.server.healthcheck.meta.csconfig",
> "check": "CADogtagCertsConfigCheck",
> "result": "ERROR",
> "uuid": "da820035-6955-436f-9bf5-bde578b27920",
> "when": "20201221130025Z",
> "duration": "0.172261",
> "kw": {
> "key": "ca_signing",
> "nickname": "caSigningCert cert-pki-ca",
> "directive": "ca.signing.cert",
> "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
> "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the
> value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
> }
> },
You may be right, perhaps the dogtag checker doesn't check all values of
the certificate. I'd suggest opening an issue at
https://github.com/dogtagpki/pki
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertTracking",
> "result": "ERROR",
> "uuid": "cfba0bf1-4e4b-40d6-9d26-455bab9c9057",
> "when": "20201221130027Z",
> "duration": "0.307626",
> "kw": {
> "key": "cert-database=/etc/pki/pki-tomcat/alias,
> cert-nickname=caSigningCert cert-pki-ca,
> ca-name=dogtag-ipa-ca-renew-agent,
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> \"caSigningCert cert-pki-ca\", template-profile=caCACert",
> "msg": "Missing tracking for
> cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert
> cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> \"caSigningCert cert-pki-ca\", template-profile=caCACert"
> }
> },
> ...
> ]
The tracking may differ from what is expected. I'd need to see the
output of: getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert
cert-pki-ca'
rob
> 1. This is with a self-signed CA. So I don't know why it has that
> assuming 3rd party message.
> 2. I think this has something to do with the fact
> that /etc/pki/pki-tomcat/alias/ has two certs under the nickname
> of "caSigningCert cert-pki-ca", (one for each of the masters I
> presume), but somehow only 1 cert is tracked in other parts of the
> infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg lists a
> single certificate under ca.signing.cert and there is also a single
> entry in LDAP (which is the same as CS.cfg). Is something broken in
> my setup ?
>
> Thanks,
> Prasun
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
