Thanks, Rob! On Tue, Jan 5, 2021 at 10:01 AM Rob Crittenden <[email protected]> wrote:
> Prasun Gera via FreeIPA-users wrote: > > Thanks. That has fixed a part of the problem. I did the rename followed > > by ipa-certupdate, which clears the duplicate nickname. It also shows > > only a single value under the nickname now. I don't see the CS.cfg error > > anymore. However, something is still not right with certupdate and > > tracking. After certupdate, I get the tracking error in healthcheck. If > > I do ipa-server-upgrade, it fixes the tracking and also prints this: > > "Missing or incorrect tracking request for certificates: > > /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca" > > after which healthcheck reports no errors. Running certupdate brings the > > error back. > > To close the loop on this I was able to reproduce this and opened > https://pagure.io/freeipa/issue/8644 . A PR to fix this has been > submitted upstream. > > rob > > > > > On Wed, Dec 23, 2020 at 10:04 AM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > Prasun Gera via FreeIPA-users wrote: > > > Renaming creates a duplicate. There was already a 'caSigningCert > > > cert-pki-ca' present in the db. Now it shows two entries with the > same > > > nick. This shouldn't happen, right ? Should I delete 'DOMAIN.COM > > <http://DOMAIN.COM> > > > <http://domain.com/> IPA CA' instead (after restoring > > > /etc/pki/pki-tomcat/alias/)? It had the same contents > > as 'caSigningCert > > > cert-pki-ca'. Here is what it looks like: > > > > > > certutil -L -d /etc/pki/pki-tomcat/alias/ > > > > > > Certificate Nickname Trust > > > Attributes > > > > > > SSL,S/MIME,JAR/XPI > > > > > > Server-Cert cert-pki-ca u,u,u > > > subsystemCert cert-pki-ca u,u,u > > > auditSigningCert cert-pki-ca u,u,Pu > > > ocspSigningCert cert-pki-ca u,u,u > > > caSigningCert cert-pki-ca > CTu,Cu,Cu > > > caSigningCert cert-pki-ca > CTu,Cu,Cu > > > > I think that ipa-certupdate was adding the other nickname. I believe > > this will prevent that. > > > > rob > > > > > > > > On Tue, Dec 22, 2020 at 10:22 AM Rob Crittenden > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > Prasun Gera wrote: > > > > Thanks, Rob. Here are the outputs: > > > > > > > > certutil -L -d /etc/pki/pki-tomcat/alias/ > > > > > > > > Certificate Nickname > > Trust > > > > Attributes > > > > > > > > SSL,S/MIME,JAR/XPI > > > > > > > > Server-Cert cert-pki-ca > > u,u,u > > > > subsystemCert cert-pki-ca > > u,u,u > > > > auditSigningCert cert-pki-ca > > u,u,Pu > > > > ocspSigningCert cert-pki-ca > > u,u,u > > > > caSigningCert cert-pki-ca > > CTu,Cu,Cu > > > > DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > > <http://DOMAIN.COM> IPA CA > > > > > > > CTu,Cu,Cu > > > > > > That identifies one problem. The nickname that is currently > > > 'DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > > > IPA CA' should be 'caSigningCert cert-pki-ca'. > > > > > > To fix: > > > > > > 1. ipa cert-show 1 (output doesn't matter just shouldn't be an > > error) > > > 2. ipactl stop > > > 3. backup /etc/pki/pki-tomcat/alias/* someplace safe > > > 4. certutil --rename -d /etc/pki/pki-tomcat/alias/ --new-n > > > 'caSigningCert cert-pki-ca' -n 'DOMAIN.COM <http://DOMAIN.COM> > > <http://DOMAIN.COM> IPA CA' > > > 5. ipactl start > > > 6. ipa cert-show 1 (again, should return a cert) > > > > > > > getcert list -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert > > > cert-pki-ca' > > > > Number of certificates and requests being tracked: 9. > > > > Request ID '20201221144720': > > > > status: MONITORING > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > > cert-pki-ca',token='NSS Certificate DB',pin set > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-ca-renew-agent > > > > issuer: CN=Certificate Authority,O=DOMAIN.COM > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > <http://DOMAIN.COM> > > > > subject: CN=Certificate Authority,O=DOMAIN.COM > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > <http://DOMAIN.COM> > > > > expires: 2040-12-21 06:51:45 EST > > > > key usage: > digitalSignature,nonRepudiation,keyCertSign,cRLSign > > > > profile: caCACert > > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > > > "caSigningCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > > > > > The other thing I tried was ipa-server-upgrade, which does > > resolve the > > > > 2nd failure. It adds the missing tracking. However, if I run > > > > ipa-certupdate after that, the error appears again. It > > appears that > > > > ipa-certupdate clears it. One thing worth mentioning is that > > I had > > > > run ipa-cacert-manage renew earlier. Is this related to it > > somehow > > > ? I'm > > > > not entirely sure why there are two certificates with two > serial > > > > numbers. They both have the same validity dates, only > > different times. > > > > One is off by 1 hour. > > > > > > Interesting. I'm not sure why ipa-certupdate would affect the > > certmonger > > > tracking. This may also be failing due to the nickname. > > > > > > ipa-cacert-manage renews the CA cert. So you renewed your CA, > > which is > > > unnecessary this far ahead of expiration. It definitely > > explains the > > > dogtag healthcheck issue. > > > > > > Doing the rename may fix the ipa-certupdate issue. > > > > > > rob > > > > > > > > > > > On Mon, Dec 21, 2020 at 10:53 AM Rob Crittenden > > > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > > > Prasun Gera via FreeIPA-users wrote: > > > > > I'm seeing the following two errors on running > > > ipahealthcheck. This is > > > > > on an up to date RHEL 8.3 system in a 2 server > > topology with > > > self > > > > signed CA. > > > > > > > > > > DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM> IPA CA not > > > > found, assuming 3rd party > > > > > DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM> IPA CA not > > > > found, assuming 3rd party > > > > > > > > I'd need to see the output of certutil -L -d > > > /etc/pki/pki-tomcat/alias/ > > > > > > > > An expected nickname was not present either in the > > database or in > > > > CS.cfg. > > > > > > > > > [ > > > > > { > > > > > "source": "pki.server.healthcheck.meta.csconfig", > > > > > "check": "CADogtagCertsConfigCheck", > > > > > "result": "ERROR", > > > > > "uuid": "da820035-6955-436f-9bf5-bde578b27920", > > > > > "when": "20201221130025Z", > > > > > "duration": "0.172261", > > > > > "kw": { > > > > > "key": "ca_signing", > > > > > "nickname": "caSigningCert cert-pki-ca", > > > > > "directive": "ca.signing.cert", > > > > > "configfile": > > "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", > > > > > "msg": "Certificate 'caSigningCert cert-pki-ca' > > does not > > > > match the > > > > > value of ca.signing.cert in > > > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" > > > > > } > > > > > }, > > > > > > > > You may be right, perhaps the dogtag checker doesn't > > check all > > > values of > > > > the certificate. I'd suggest opening an issue at > > > > https://github.com/dogtagpki/pki > > > > > > > > > { > > > > > "source": "ipahealthcheck.ipa.certs", > > > > > "check": "IPACertTracking", > > > > > "result": "ERROR", > > > > > "uuid": "cfba0bf1-4e4b-40d6-9d26-455bab9c9057", > > > > > "when": "20201221130027Z", > > > > > "duration": "0.307626", > > > > > "kw": { > > > > > "key": "cert-database=/etc/pki/pki-tomcat/alias, > > > > > cert-nickname=caSigningCert cert-pki-ca, > > > > > ca-name=dogtag-ipa-ca-renew-agent, > > > > > > > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, > > > > > > > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert > > > > > \"caSigningCert cert-pki-ca\", > template-profile=caCACert", > > > > > "msg": "Missing tracking for > > > > > cert-database=/etc/pki/pki-tomcat/alias, > > > cert-nickname=caSigningCert > > > > > cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, > > > > > > > cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, > > > > > > > cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert > > > > > \"caSigningCert cert-pki-ca\", > template-profile=caCACert" > > > > > } > > > > > }, > > > > > ... > > > > > ] > > > > > > > > The tracking may differ from what is expected. I'd need > > to see the > > > > output of: getcert list -d /etc/pki/pki-tomcat/alias/ -n > > > 'caSigningCert > > > > cert-pki-ca' > > > > > > > > rob > > > > > > > > > 1. This is with a self-signed CA. So I don't know why > it > > > has that > > > > > assuming 3rd party message. > > > > > 2. I think this has something to do with the fact > > > > > that /etc/pki/pki-tomcat/alias/ has two certs > > under the > > > nickname > > > > > of "caSigningCert cert-pki-ca", (one for each of > the > > > masters I > > > > > presume), but somehow only 1 cert is tracked in > other > > > parts of the > > > > > > infrastructure. /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > > lists a > > > > > single certificate under ca.signing.cert and there > > is also a > > > > single > > > > > entry in LDAP (which is the same as CS.cfg). Is > > something > > > > broken in > > > > > my setup ? > > > > > > > > > > Thanks, > > > > > Prasun > > > > > > > > > > _______________________________________________ > > > > > FreeIPA-users mailing list -- > > > [email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>> > > > > <mailto:[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>>> > > > > > To unsubscribe send an email to > > > > [email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>> > > > > <mailto:[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>>> > > > > > Fedora Code of Conduct: > > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > > List Guidelines: > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > List Archives: > > > > > > > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- [email protected] > > <mailto:[email protected]> > > > To unsubscribe send an email to > > [email protected] > > <mailto:[email protected]> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
