Ivars Strazdins via FreeIPA-users wrote:
> Hi guys,
> after upgrading FreeIPA from 4.6.8 to 4.9.8 I was able to run
> ipa-healthcheck for the first time.
> Now I am facing two errors:
>
> # ipa-healthcheck
> Unhandler rdtype 256
> Unhandler rdtype 256
> Unhandler rdtype 256
> Unhandler rdtype 256
> Unhandler rdtype 256
> Unhandler rdtype 256
> Unhandler rdtype 256
> Unhandler rdtype 256
>
> [
> {
> "source": "pki.server.healthcheck.meta.csconfig",
> "check": "CADogtagCertsConfigCheck",
> * "result": "ERROR",*
> "uuid": "92710f34-de94-4226-a81c-3e1d116c6410",
> "when": "20220707130401Z",
> "duration": "0.324141",
> "kw": {
> "key": "ca_signing",
> "nickname": "caSigningCert cert-pki-ca",
> "directive": "ca.signing.cert",
> "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
> "msg": "Certificate 'caSigningCert cert-pki-ca' does not match
> the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
> }
> },
This compares the value of the certificate in the NSS database to the
value in CS.cfg. They should match.
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPADogtagCertsMatchCheck",
> * "result": "ERROR",*
> "uuid": "b26ad134-e798-4e21-961a-bc17899ac267",
> "when": "20220707130408Z",
> "duration": "0.162734",
> "kw": {
> "key": "caSigningCert cert-pki-ca",
> "nickname": "caSigningCert cert-pki-ca",
> "dbdir": "/etc/pki/pki-tomcat/alias",
> "msg": "{nickname} certificate in NSS DB {dbdir} does not
> match entry in LDAP"
> }
> }
I find it unusual that the CA certificate is different in two different
places, both CS.cfg and LDAP. It could be a formatting difference
between the two.
It's also strange that the IPA CA is included twice in the pki database.
The caSigningCert cert-pki-ca and EXAMPLE.COM IPA CA should be the same
certificate. Can you confirm that they are?
Did you happen to run ipa-cacert-manage renew some time in the past?
rob
> ]
>
>
> certutil output is:
>
> # certutil -L -d /etc/pki/pki-tomcat/alias/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CN=ISRG Root X1,O=Internet Security Research Group,C=US C,,
> CN=ISRG Root X2,O=Internet Security Research Group,C=US C,,
> CN=R3,O=Let's Encrypt,C=US C,,
> CN=E1,O=Let's Encrypt,C=US C,,
> CN=R4,O=Let's Encrypt,C=US C,,
> CN=E2,O=Let's Encrypt,C=US C,,
> caSigningCert cert-pki-ca CTu,Cu,Cu
> ocspSigningCert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> subsystemCert cert-pki-ca u,u,u
> EXAMPLE.COM <http://EXAMPLE.COM> IPA CA
> CTu,Cu,Cu
> Server-Cert cert-pki-ca u,u,u
>
>
> How do I fix these errors?
> To explain above Letsencrypt certificates - our IPA servers Directory
> server and Apache server use Letsencrypt certificates that have been
> added to FreeIPA with command “ipa-server-certinstall -w -d ..."
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
