Hello Rob, thanks for answering! Please see my answers below. > On 7 Jul 2022, at 17:13, Rob Crittenden <[email protected]> wrote: > > Ivars Strazdins via FreeIPA-users wrote: >> Hi guys, >> after upgrading FreeIPA from 4.6.8 to 4.9.8 I was able to run >> ipa-healthcheck for the first time. >> Now I am facing two errors: >> >> # ipa-healthcheck >> Unhandler rdtype 256 >> Unhandler rdtype 256 >> Unhandler rdtype 256 >> Unhandler rdtype 256 >> Unhandler rdtype 256 >> Unhandler rdtype 256 >> Unhandler rdtype 256 >> Unhandler rdtype 256 >> >> [ >> { >> "source": "pki.server.healthcheck.meta.csconfig", >> "check": "CADogtagCertsConfigCheck", >> * "result": "ERROR",* >> "uuid": "92710f34-de94-4226-a81c-3e1d116c6410", >> "when": "20220707130401Z", >> "duration": "0.324141", >> "kw": { >> "key": "ca_signing", >> "nickname": "caSigningCert cert-pki-ca", >> "directive": "ca.signing.cert", >> "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", >> "msg": "Certificate 'caSigningCert cert-pki-ca' does not match >> the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" >> } >> }, > > This compares the value of the certificate in the NSS database to the > value in CS.cfg. They should match. > >> { >> "source": "ipahealthcheck.ipa.certs", >> "check": "IPADogtagCertsMatchCheck", >> * "result": "ERROR",* >> "uuid": "b26ad134-e798-4e21-961a-bc17899ac267", >> "when": "20220707130408Z", >> "duration": "0.162734", >> "kw": { >> "key": "caSigningCert cert-pki-ca", >> "nickname": "caSigningCert cert-pki-ca", >> "dbdir": "/etc/pki/pki-tomcat/alias", >> "msg": "{nickname} certificate in NSS DB {dbdir} does not >> match entry in LDAP" >> } >> } > > > I find it unusual that the CA certificate is different in two different > places, both CS.cfg and LDAP. It could be a formatting difference > between the two. > > It's also strange that the IPA CA is included twice in the pki database. > The caSigningCert cert-pki-ca and EXAMPLE.COM <http://example.com/> IPA CA > should be the same > certificate. Can you confirm that they are?
Yes I get exactly the same output when I run commands certutil -L -d /etc/pki/pki-tomcat/alias -a -n ‘DOMAIN.COM IPA CA’ and certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca’ > > Did you happen to run ipa-cacert-manage renew some time in the past? Not that I remember doing that recently, but this particular FreeIPA instance is runnig for 5 years (CA being generated in July 2017) and I may not remember everything. Then again, I can’t remember any particular reason to run ipa-cacert-manage. With kind regards, Ivars > > rob > > >> ] >> >> >> certutil output is: >> >> # certutil -L -d /etc/pki/pki-tomcat/alias/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CN=ISRG Root X1,O=Internet Security Research Group,C=US C,, >> CN=ISRG Root X2,O=Internet Security Research Group,C=US C,, >> CN=R3,O=Let's Encrypt,C=US C,, >> CN=E1,O=Let's Encrypt,C=US C,, >> CN=R4,O=Let's Encrypt,C=US C,, >> CN=E2,O=Let's Encrypt,C=US C,, >> caSigningCert cert-pki-ca CTu,Cu,Cu >> ocspSigningCert cert-pki-ca u,u,u >> auditSigningCert cert-pki-ca u,u,Pu >> subsystemCert cert-pki-ca u,u,u >> EXAMPLE.COM <http://example.com/> <http://EXAMPLE.COM <http://example.com/>> >> IPA CA >> CTu,Cu,Cu >> Server-Cert cert-pki-ca u,u,u >> >> >> How do I fix these errors? >> To explain above Letsencrypt certificates - our IPA servers Directory >> server and Apache server use Letsencrypt certificates that have been >> added to FreeIPA with command “ipa-server-certinstall -w -d ..."
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
