Ivars Strazdins wrote: > Hi Rob, > then both errors reported by ipa-healthcheck are nothing to be worried > about in our setup?
I meant that having potentially renewing your CA is not awesome but not the end of the world either. I'd manually check out the values in the file/LDAP and compare them to the version in the NSS database. rob > With kind regards, > Ivars > >> On 7 Jul 2022, at 20:23, Rob Crittenden <[email protected] >> <mailto:[email protected]>> wrote: >> >> Ivars Strazdins wrote: >>> Rob, >>> actually, I started digging and I see that first account creation time >>> is in April 2015. >>> However, CA certificate creation time is in July 2017. >>> So maybe in 2017 I had run 'ipa-cacert-manage renew’ command ¯\_(ツ)_/¯ >> >> It isn't anything to worry about, just a head scratcher. >> >> NSS allows multiple nicknames to point to the same certificate so it >> shouldn't be an issue. >> >> rob >> >>> >>> Ivars >>> >>>> On 7 Jul 2022, at 17:36, Ivars Strazdins <[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hello Rob, >>>> thanks for answering! Please see my answers below. >>>> >>>>> On 7 Jul 2022, at 17:13, Rob Crittenden <[email protected] >>>>> <mailto:[email protected]> >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Ivars Strazdins via FreeIPA-users wrote: >>>>>> Hi guys, >>>>>> after upgrading FreeIPA from 4.6.8 to 4.9.8 I was able to run >>>>>> ipa-healthcheck for the first time. >>>>>> Now I am facing two errors: >>>>>> >>>>>> # ipa-healthcheck >>>>>> Unhandler rdtype 256 >>>>>> Unhandler rdtype 256 >>>>>> Unhandler rdtype 256 >>>>>> Unhandler rdtype 256 >>>>>> Unhandler rdtype 256 >>>>>> Unhandler rdtype 256 >>>>>> Unhandler rdtype 256 >>>>>> Unhandler rdtype 256 >>>>>> >>>>>> [ >>>>>> { >>>>>> "source": "pki.server.healthcheck.meta.csconfig", >>>>>> "check": "CADogtagCertsConfigCheck", >>>>>> * "result": "ERROR",* >>>>>> "uuid": "92710f34-de94-4226-a81c-3e1d116c6410", >>>>>> "when": "20220707130401Z", >>>>>> "duration": "0.324141", >>>>>> "kw": { >>>>>> "key": "ca_signing", >>>>>> "nickname": "caSigningCert cert-pki-ca", >>>>>> "directive": "ca.signing.cert", >>>>>> "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", >>>>>> "msg": "Certificate 'caSigningCert cert-pki-ca' does not match >>>>>> the value of ca.signing.cert in >>>>>> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" >>>>>> } >>>>>> }, >>>>> >>>>> This compares the value of the certificate in the NSS database to the >>>>> value in CS.cfg. They should match. >>>>> >>>>>> { >>>>>> "source": "ipahealthcheck.ipa.certs", >>>>>> "check": "IPADogtagCertsMatchCheck", >>>>>> * "result": "ERROR",* >>>>>> "uuid": "b26ad134-e798-4e21-961a-bc17899ac267", >>>>>> "when": "20220707130408Z", >>>>>> "duration": "0.162734", >>>>>> "kw": { >>>>>> "key": "caSigningCert cert-pki-ca", >>>>>> "nickname": "caSigningCert cert-pki-ca", >>>>>> "dbdir": "/etc/pki/pki-tomcat/alias", >>>>>> "msg": "{nickname} certificate in NSS DB {dbdir} does not >>>>>> match entry in LDAP" >>>>>> } >>>>>> } >>>>> >>>>> >>>>> I find it unusual that the CA certificate is different in two different >>>>> places, both CS.cfg and LDAP. It could be a formatting difference >>>>> between the two. >>>>> >>>>> It's also strange that the IPA CA is included twice in the pki >>>>> database. >>>>> The caSigningCert cert-pki-ca and EXAMPLE.COM <http://EXAMPLE.COM> >>>>> <http://example.com/> IPA CA should be the same >>>>> certificate. Can you confirm that they are? >>>> >>>> Yes I get exactly the same output when I run commands >>>> certutil -L -d /etc/pki/pki-tomcat/alias -a -n ‘DOMAIN.COM >>>> <http://DOMAIN.COM> >>>> <http://domain.com/> IPA CA’ >>>> >>>> and >>>> certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert >>>> cert-pki-ca’ >>>> >>>>> >>>>> Did you happen to run ipa-cacert-manage renew some time in the past? >>>> >>>> Not that I remember doing that recently, but this particular FreeIPA >>>> instance is runnig for 5 years (CA being generated in July 2017) and I >>>> may not remember everything. >>>> Then again, I can’t remember any particular reason to >>>> run ipa-cacert-manage. >>>> >>>> With kind regards, >>>> Ivars >>>> >>>>> >>>>> rob >>>>> >>>>> >>>>>> ] >>>>>> >>>>>> >>>>>> certutil output is: >>>>>> >>>>>> # certutil -L -d /etc/pki/pki-tomcat/alias/ >>>>>> >>>>>> Certificate Nickname Trust >>>>>> Attributes >>>>>> >>>>>> SSL,S/MIME,JAR/XPI >>>>>> >>>>>> CN=ISRG Root X1,O=Internet Security Research Group,C=US C,, >>>>>> CN=ISRG Root X2,O=Internet Security Research Group,C=US C,, >>>>>> CN=R3,O=Let's Encrypt,C=US C,, >>>>>> CN=E1,O=Let's Encrypt,C=US C,, >>>>>> CN=R4,O=Let's Encrypt,C=US C,, >>>>>> CN=E2,O=Let's Encrypt,C=US C,, >>>>>> caSigningCert cert-pki-ca CTu,Cu,Cu >>>>>> ocspSigningCert cert-pki-ca u,u,u >>>>>> auditSigningCert cert-pki-ca u,u,Pu >>>>>> subsystemCert cert-pki-ca u,u,u >>>>>> EXAMPLE.COM <http://EXAMPLE.COM> >>>>>> <http://example.com/> <http://EXAMPLE.COM >>>>>> <http://example.com/>> IPA CA >>>>>> CTu,Cu,Cu >>>>>> Server-Cert cert-pki-ca u,u,u >>>>>> >>>>>> >>>>>> How do I fix these errors? >>>>>> To explain above Letsencrypt certificates - our IPA servers Directory >>>>>> server and Apache server use Letsencrypt certificates that have been >>>>>> added to FreeIPA with command “ipa-server-certinstall -w -d ..." >>> >> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
