Thanks, Rob. Here are the outputs: certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu DOMAIN.COM IPA CA CTu,Cu,Cu getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' Number of certificates and requests being tracked: 9. Request ID '20201221144720': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=Certificate Authority,O=DOMAIN.COM expires: 2040-12-21 06:51:45 EST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes The other thing I tried was ipa-server-upgrade, which does resolve the 2nd failure. It adds the missing tracking. However, if I run ipa-certupdate after that, the error appears again. It appears that ipa-certupdate clears it. One thing worth mentioning is that I had run ipa-cacert-manage renew earlier. Is this related to it somehow ? I'm not entirely sure why there are two certificates with two serial numbers. They both have the same validity dates, only different times. One is off by 1 hour. On Mon, Dec 21, 2020 at 10:53 AM Rob Crittenden <rcrit...@redhat.com> wrote: > Prasun Gera via FreeIPA-users wrote: > > I'm seeing the following two errors on running ipahealthcheck. This is > > on an up to date RHEL 8.3 system in a 2 server topology with self signed > CA. > > > > DOMAIN.COM <http://DOMAIN.COM> IPA CA not found, assuming 3rd party > > DOMAIN.COM <http://DOMAIN.COM> IPA CA not found, assuming 3rd party > > I'd need to see the output of certutil -L -d /etc/pki/pki-tomcat/alias/ > > An expected nickname was not present either in the database or in CS.cfg. > > > [ > > { > > "source": "pki.server.healthcheck.meta.csconfig", > > "check": "CADogtagCertsConfigCheck", > > "result": "ERROR", > > "uuid": "da820035-6955-436f-9bf5-bde578b27920", > > "when": "20201221130025Z", > > "duration": "0.172261", > > "kw": { > > "key": "ca_signing", > > "nickname": "caSigningCert cert-pki-ca", > > "directive": "ca.signing.cert", > > "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", > > "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the > > value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" > > } > > }, > > You may be right, perhaps the dogtag checker doesn't check all values of > the certificate. I'd suggest opening an issue at > https://github.com/dogtagpki/pki > > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertTracking", > > "result": "ERROR", > > "uuid": "cfba0bf1-4e4b-40d6-9d26-455bab9c9057", > > "when": "20201221130027Z", > > "duration": "0.307626", > > "kw": { > > "key": "cert-database=/etc/pki/pki-tomcat/alias, > > cert-nickname=caSigningCert cert-pki-ca, > > ca-name=dogtag-ipa-ca-renew-agent, > > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, > > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert > > \"caSigningCert cert-pki-ca\", template-profile=caCACert", > > "msg": "Missing tracking for > > cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert > > cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, > > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, > > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert > > \"caSigningCert cert-pki-ca\", template-profile=caCACert" > > } > > }, > > ... > > ] > > The tracking may differ from what is expected. I'd need to see the > output of: getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert > cert-pki-ca' > > rob > > > 1. This is with a self-signed CA. So I don't know why it has that > > assuming 3rd party message. > > 2. I think this has something to do with the fact > > that /etc/pki/pki-tomcat/alias/ has two certs under the nickname > > of "caSigningCert cert-pki-ca", (one for each of the masters I > > presume), but somehow only 1 cert is tracked in other parts of the > > infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg lists a > > single certificate under ca.signing.cert and there is also a single > > entry in LDAP (which is the same as CS.cfg). Is something broken in > > my setup ? > > > > Thanks, > > Prasun > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org