Prasun Gera via FreeIPA-users wrote: > Renaming creates a duplicate. There was already a 'caSigningCert > cert-pki-ca' present in the db. Now it shows two entries with the same > nick. This shouldn't happen, right ? Should I delete 'DOMAIN.COM > <http://domain.com/> IPA CA' instead (after restoring > /etc/pki/pki-tomcat/alias/)? It had the same contents as 'caSigningCert > cert-pki-ca'. Here is what it looks like: > > certutil -L -d /etc/pki/pki-tomcat/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > caSigningCert cert-pki-ca CTu,Cu,Cu > caSigningCert cert-pki-ca CTu,Cu,Cu
I think that ipa-certupdate was adding the other nickname. I believe this will prevent that. rob > > On Tue, Dec 22, 2020 at 10:22 AM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Prasun Gera wrote: > > Thanks, Rob. Here are the outputs: > > > > certutil -L -d /etc/pki/pki-tomcat/alias/ > > > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert cert-pki-ca u,u,u > > subsystemCert cert-pki-ca u,u,u > > auditSigningCert cert-pki-ca u,u,Pu > > ocspSigningCert cert-pki-ca u,u,u > > caSigningCert cert-pki-ca CTu,Cu,Cu > > DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> IPA CA > > > CTu,Cu,Cu > > That identifies one problem. The nickname that is currently > 'DOMAIN.COM <http://DOMAIN.COM> > IPA CA' should be 'caSigningCert cert-pki-ca'. > > To fix: > > 1. ipa cert-show 1 (output doesn't matter just shouldn't be an error) > 2. ipactl stop > 3. backup /etc/pki/pki-tomcat/alias/* someplace safe > 4. certutil --rename -d /etc/pki/pki-tomcat/alias/ --new-n > 'caSigningCert cert-pki-ca' -n 'DOMAIN.COM <http://DOMAIN.COM> IPA CA' > 5. ipactl start > 6. ipa cert-show 1 (again, should return a cert) > > > getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert > cert-pki-ca' > > Number of certificates and requests being tracked: 9. > > Request ID '20201221144720': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM> > <http://DOMAIN.COM> > > subject: CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM> > <http://DOMAIN.COM> > > expires: 2040-12-21 06:51:45 EST > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > profile: caCACert > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "caSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > > > The other thing I tried was ipa-server-upgrade, which does resolve the > > 2nd failure. It adds the missing tracking. However, if I run > > ipa-certupdate after that, the error appears again. It appears that > > ipa-certupdate clears it. One thing worth mentioning is that I had > > run ipa-cacert-manage renew earlier. Is this related to it somehow > ? I'm > > not entirely sure why there are two certificates with two serial > > numbers. They both have the same validity dates, only different times. > > One is off by 1 hour. > > Interesting. I'm not sure why ipa-certupdate would affect the certmonger > tracking. This may also be failing due to the nickname. > > ipa-cacert-manage renews the CA cert. So you renewed your CA, which is > unnecessary this far ahead of expiration. It definitely explains the > dogtag healthcheck issue. > > Doing the rename may fix the ipa-certupdate issue. > > rob > > > > > On Mon, Dec 21, 2020 at 10:53 AM Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Prasun Gera via FreeIPA-users wrote: > > > I'm seeing the following two errors on running > ipahealthcheck. This is > > > on an up to date RHEL 8.3 system in a 2 server topology with > self > > signed CA. > > > > > > DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> IPA CA not > > found, assuming 3rd party > > > DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> IPA CA not > > found, assuming 3rd party > > > > I'd need to see the output of certutil -L -d > /etc/pki/pki-tomcat/alias/ > > > > An expected nickname was not present either in the database or in > > CS.cfg. > > > > > [ > > > { > > > "source": "pki.server.healthcheck.meta.csconfig", > > > "check": "CADogtagCertsConfigCheck", > > > "result": "ERROR", > > > "uuid": "da820035-6955-436f-9bf5-bde578b27920", > > > "when": "20201221130025Z", > > > "duration": "0.172261", > > > "kw": { > > > "key": "ca_signing", > > > "nickname": "caSigningCert cert-pki-ca", > > > "directive": "ca.signing.cert", > > > "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", > > > "msg": "Certificate 'caSigningCert cert-pki-ca' does not > > match the > > > value of ca.signing.cert in > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" > > > } > > > }, > > > > You may be right, perhaps the dogtag checker doesn't check all > values of > > the certificate. I'd suggest opening an issue at > > https://github.com/dogtagpki/pki > > > > > { > > > "source": "ipahealthcheck.ipa.certs", > > > "check": "IPACertTracking", > > > "result": "ERROR", > > > "uuid": "cfba0bf1-4e4b-40d6-9d26-455bab9c9057", > > > "when": "20201221130027Z", > > > "duration": "0.307626", > > > "kw": { > > > "key": "cert-database=/etc/pki/pki-tomcat/alias, > > > cert-nickname=caSigningCert cert-pki-ca, > > > ca-name=dogtag-ipa-ca-renew-agent, > > > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, > > > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert > > > \"caSigningCert cert-pki-ca\", template-profile=caCACert", > > > "msg": "Missing tracking for > > > cert-database=/etc/pki/pki-tomcat/alias, > cert-nickname=caSigningCert > > > cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, > > > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, > > > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert > > > \"caSigningCert cert-pki-ca\", template-profile=caCACert" > > > } > > > }, > > > ... > > > ] > > > > The tracking may differ from what is expected. I'd need to see the > > output of: getcert list -d /etc/pki/pki-tomcat/alias/ -n > 'caSigningCert > > cert-pki-ca' > > > > rob > > > > > 1. This is with a self-signed CA. So I don't know why it > has that > > > assuming 3rd party message. > > > 2. I think this has something to do with the fact > > > that /etc/pki/pki-tomcat/alias/ has two certs under the > nickname > > > of "caSigningCert cert-pki-ca", (one for each of the > masters I > > > presume), but somehow only 1 cert is tracked in other > parts of the > > > infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > lists a > > > single certificate under ca.signing.cert and there is also a > > single > > > entry in LDAP (which is the same as CS.cfg). Is something > > broken in > > > my setup ? > > > > > > Thanks, > > > Prasun > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > To unsubscribe send an email to > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
