[Freeipa-users] ipa-healthcheck errors, CADogtagCertsConfigCheck and IPADogtagCertsMatchCheck

[Ivars Strazdins via FreeIPA-users]

Hi guys,
after upgrading FreeIPA from 4.6.8 to 4.9.8 I was able to run ipa-healthcheck 
for the first time.
Now I am facing two errors:
# ipa-healthcheck 
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
[
  {
    "source": "pki.server.healthcheck.meta.csconfig",
    "check": "CADogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "92710f34-de94-4226-a81c-3e1d116c6410",
    "when": "20220707130401Z",
    "duration": "0.324141",
    "kw": {
      "key": "ca_signing",
      "nickname": "caSigningCert cert-pki-ca",
      "directive": "ca.signing.cert",
      "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
      "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value 
of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
    }
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPADogtagCertsMatchCheck",
    "result": "ERROR",
    "uuid": "b26ad134-e798-4e21-961a-bc17899ac267",
    "when": "20220707130408Z",
    "duration": "0.162734",
    "kw": {
      "key": "caSigningCert cert-pki-ca",
      "nickname": "caSigningCert cert-pki-ca",
      "dbdir": "/etc/pki/pki-tomcat/alias",
      "msg": "{nickname} certificate in NSS DB {dbdir} does not match entry in 
LDAP"
    }
  }
]

certutil output is:
# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=ISRG Root X1,O=Internet Security Research Group,C=US      C,,  
CN=ISRG Root X2,O=Internet Security Research Group,C=US      C,,  
CN=R3,O=Let's Encrypt,C=US                                   C,,  
CN=E1,O=Let's Encrypt,C=US                                   C,,  
CN=R4,O=Let's Encrypt,C=US                                   C,,  
CN=E2,O=Let's Encrypt,C=US                                   C,,  
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
subsystemCert cert-pki-ca                                    u,u,u
EXAMPLE.COM IPA CA                                               CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u

How do I fix these errors?
To explain above Letsencrypt certificates - our IPA servers Directory server 
and Apache server use Letsencrypt certificates that have been added to FreeIPA 
with command “ipa-server-certinstall -w -d ..."

Thank you in advance for your time.
Ivars
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure