Prasun Gera via FreeIPA-users wrote: > Thanks. That has fixed a part of the problem. I did the rename followed > by ipa-certupdate, which clears the duplicate nickname. It also shows > only a single value under the nickname now. I don't see the CS.cfg error > anymore. However, something is still not right with certupdate and > tracking. After certupdate, I get the tracking error in healthcheck. If > I do ipa-server-upgrade, it fixes the tracking and also prints this: > "Missing or incorrect tracking request for certificates: > /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca" > after which healthcheck reports no errors. Running certupdate brings the > error back.
To close the loop on this I was able to reproduce this and opened https://pagure.io/freeipa/issue/8644 . A PR to fix this has been submitted upstream. rob > > On Wed, Dec 23, 2020 at 10:04 AM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Prasun Gera via FreeIPA-users wrote: > > Renaming creates a duplicate. There was already a 'caSigningCert > > cert-pki-ca' present in the db. Now it shows two entries with the same > > nick. This shouldn't happen, right ? Should I delete 'DOMAIN.COM > <http://DOMAIN.COM> > > <http://domain.com/> IPA CA' instead (after restoring > > /etc/pki/pki-tomcat/alias/)? It had the same contents > as 'caSigningCert > > cert-pki-ca'. Here is what it looks like: > > > > certutil -L -d /etc/pki/pki-tomcat/alias/ > > > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert cert-pki-ca u,u,u > > subsystemCert cert-pki-ca u,u,u > > auditSigningCert cert-pki-ca u,u,Pu > > ocspSigningCert cert-pki-ca u,u,u > > caSigningCert cert-pki-ca CTu,Cu,Cu > > caSigningCert cert-pki-ca CTu,Cu,Cu > > I think that ipa-certupdate was adding the other nickname. I believe > this will prevent that. > > rob > > > > > On Tue, Dec 22, 2020 at 10:22 AM Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Prasun Gera wrote: > > > Thanks, Rob. Here are the outputs: > > > > > > certutil -L -d /etc/pki/pki-tomcat/alias/ > > > > > > Certificate Nickname > Trust > > > Attributes > > > > > > SSL,S/MIME,JAR/XPI > > > > > > Server-Cert cert-pki-ca > u,u,u > > > subsystemCert cert-pki-ca > u,u,u > > > auditSigningCert cert-pki-ca > u,u,Pu > > > ocspSigningCert cert-pki-ca > u,u,u > > > caSigningCert cert-pki-ca > CTu,Cu,Cu > > > DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> IPA CA > > > > > CTu,Cu,Cu > > > > That identifies one problem. The nickname that is currently > > 'DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > > IPA CA' should be 'caSigningCert cert-pki-ca'. > > > > To fix: > > > > 1. ipa cert-show 1 (output doesn't matter just shouldn't be an > error) > > 2. ipactl stop > > 3. backup /etc/pki/pki-tomcat/alias/* someplace safe > > 4. certutil --rename -d /etc/pki/pki-tomcat/alias/ --new-n > > 'caSigningCert cert-pki-ca' -n 'DOMAIN.COM <http://DOMAIN.COM> > <http://DOMAIN.COM> IPA CA' > > 5. ipactl start > > 6. ipa cert-show 1 (again, should return a cert) > > > > > getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert > > cert-pki-ca' > > > Number of certificates and requests being tracked: 9. > > > Request ID '20201221144720': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > > > certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=DOMAIN.COM > <http://DOMAIN.COM> <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > subject: CN=Certificate Authority,O=DOMAIN.COM > <http://DOMAIN.COM> <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > expires: 2040-12-21 06:51:45 EST > > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > > profile: caCACert > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > > "caSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > > > > The other thing I tried was ipa-server-upgrade, which does > resolve the > > > 2nd failure. It adds the missing tracking. However, if I run > > > ipa-certupdate after that, the error appears again. It > appears that > > > ipa-certupdate clears it. One thing worth mentioning is that > I had > > > run ipa-cacert-manage renew earlier. Is this related to it > somehow > > ? I'm > > > not entirely sure why there are two certificates with two serial > > > numbers. They both have the same validity dates, only > different times. > > > One is off by 1 hour. > > > > Interesting. I'm not sure why ipa-certupdate would affect the > certmonger > > tracking. This may also be failing due to the nickname. > > > > ipa-cacert-manage renews the CA cert. So you renewed your CA, > which is > > unnecessary this far ahead of expiration. It definitely > explains the > > dogtag healthcheck issue. > > > > Doing the rename may fix the ipa-certupdate issue. > > > > rob > > > > > > > > On Mon, Dec 21, 2020 at 10:53 AM Rob Crittenden > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > Prasun Gera via FreeIPA-users wrote: > > > > I'm seeing the following two errors on running > > ipahealthcheck. This is > > > > on an up to date RHEL 8.3 system in a 2 server > topology with > > self > > > signed CA. > > > > > > > > DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM> IPA CA not > > > found, assuming 3rd party > > > > DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM> IPA CA not > > > found, assuming 3rd party > > > > > > I'd need to see the output of certutil -L -d > > /etc/pki/pki-tomcat/alias/ > > > > > > An expected nickname was not present either in the > database or in > > > CS.cfg. > > > > > > > [ > > > > { > > > > "source": "pki.server.healthcheck.meta.csconfig", > > > > "check": "CADogtagCertsConfigCheck", > > > > "result": "ERROR", > > > > "uuid": "da820035-6955-436f-9bf5-bde578b27920", > > > > "when": "20201221130025Z", > > > > "duration": "0.172261", > > > > "kw": { > > > > "key": "ca_signing", > > > > "nickname": "caSigningCert cert-pki-ca", > > > > "directive": "ca.signing.cert", > > > > "configfile": > "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", > > > > "msg": "Certificate 'caSigningCert cert-pki-ca' > does not > > > match the > > > > value of ca.signing.cert in > > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" > > > > } > > > > }, > > > > > > You may be right, perhaps the dogtag checker doesn't > check all > > values of > > > the certificate. I'd suggest opening an issue at > > > https://github.com/dogtagpki/pki > > > > > > > { > > > > "source": "ipahealthcheck.ipa.certs", > > > > "check": "IPACertTracking", > > > > "result": "ERROR", > > > > "uuid": "cfba0bf1-4e4b-40d6-9d26-455bab9c9057", > > > > "when": "20201221130027Z", > > > > "duration": "0.307626", > > > > "kw": { > > > > "key": "cert-database=/etc/pki/pki-tomcat/alias, > > > > cert-nickname=caSigningCert cert-pki-ca, > > > > ca-name=dogtag-ipa-ca-renew-agent, > > > > > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, > > > > > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert > > > > \"caSigningCert cert-pki-ca\", template-profile=caCACert", > > > > "msg": "Missing tracking for > > > > cert-database=/etc/pki/pki-tomcat/alias, > > cert-nickname=caSigningCert > > > > cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, > > > > > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, > > > > > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert > > > > \"caSigningCert cert-pki-ca\", template-profile=caCACert" > > > > } > > > > }, > > > > ... > > > > ] > > > > > > The tracking may differ from what is expected. I'd need > to see the > > > output of: getcert list -d /etc/pki/pki-tomcat/alias/ -n > > 'caSigningCert > > > cert-pki-ca' > > > > > > rob > > > > > > > 1. This is with a self-signed CA. So I don't know why it > > has that > > > > assuming 3rd party message. > > > > 2. I think this has something to do with the fact > > > > that /etc/pki/pki-tomcat/alias/ has two certs > under the > > nickname > > > > of "caSigningCert cert-pki-ca", (one for each of the > > masters I > > > > presume), but somehow only 1 cert is tracked in other > > parts of the > > > > infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > lists a > > > > single certificate under ca.signing.cert and there > is also a > > > single > > > > entry in LDAP (which is the same as CS.cfg). Is > something > > > broken in > > > > my setup ? > > > > > > > > Thanks, > > > > Prasun > > > > > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > To unsubscribe send an email to > > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
