lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> According to 'ipa-healthcheck' there are lots of problems with my IPA
> ...
> "key": "cert-file=/var/lib/ipa/ra-agent.pem,
> key-file=/var/lib/ipa/ra-agent.key, ca-name=dogtag-ipa-ca-renew-agent,
> cert-presave-command=/usr/libexec/ipa/certmonger/renew_ra_cert_pre,
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ra_cert",
> "msg": "Expected certmonger tracking is missing for {key}.
> Automated renewal will not happen for this certificate"
>
> ...
> "key": "cert-database=/etc/pki/pki-tomcat/alias,
> cert-nickname=auditSigningCert cert-pki-ca,
> ca-name=dogtag-ipa-ca-renew-agent,
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> \"auditSigningCert cert-pki-ca\", template-profile=caSignedLogCert",
> "msg": "Expected certmonger tracking is missing for {key}.
> Automated renewal will not happen for this certificate"
> ...
> ...
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertDNSSAN",
> "result": "ERROR",
> "uuid": "1f431916-88ae-4cf0-8dd1-c55914cf3801",
> "when": "20220315184602Z",
> "duration": "0.178625",
> "kw": {
> "key": null,
> "msg": "Found request id {key} but it is not trackedby certmonger!?"
> }
> },
> ...
>
> 'ipa-restore' does not seem to fix anything there.
First, ipa-restore is a last resort and should be used with extreme
care. It does things like disable all replication agreements so all
other servers need to re-initialize.
> What happens there and more importantly, how to troubleshoot/fix?
Not a certmonger problem.
ipa-healthcheck knows what certificates should be tracked by certmonger
and some are not showing up. This error is a *GOOD* thing because it's
warning you that your CA will break at renewal time if you don't act.
ipa-healthcheck apparently has a bug where it should be throwing an
error that tracking is missing altogether, not one with a null key.
ipa-server-upgrade should repair any broken tracking.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
