Hello, On 2022-11-16 two of my four IPA server have this healthcheck error:
freeipa1, freeipa2: { "source": "pki.server.healthcheck.meta.csconfig", "check": "KRADogtagCertsConfigCheck", "result": "ERROR", "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005", "when": "20221116030029Z", "duration": "0.024925", "kw": { "key": "kra_sslserver", "nickname": "Server-Cert cert-pki-ca", "directive": "kra.sslserver.cert", "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" } }, The servers freeipa1-3 are Fedora 36, freeipa4 is Fedora 37 - all uptodate. All files /var/lib/pki/pki-tomcat/kra/conf/CS.cfg have changed last in Nov/Dec 2021. Most likely due to me looking at that issue and only "fixing" the error but not investigating the root cause. Let's see if we can remedy that. On freeipa1, the "Server-Cert cert-pki-ca" has been refreshed on 2022-11-13 15:27:35 CET. On freeipa2, the "Server-Cert cert-pki-ca" has been refreshed on 2022-11-11 15:22:12 CET. The certificates on freeipa3 and freeipa4 will be refreshed in Nov 2023. On freeipa2 there are these CS.cfg files: [root@freeipa2 ~]# ls -l /var/lib/pki/pki-tomcat/*/conf/CS.cfg -rw-rw----. 1 pkiuser pkiuser 85469 11. Nov 15:22 /var/lib/pki/pki-tomcat/ca/conf/CS.cfg -rw-rw----. 1 pkiuser pkiuser 34418 18. Nov 2021 /var/lib/pki/pki-tomcat/kra/conf/CS.cfg So it looks like the helper only refreshed the cert in ca, not on kra. The certificate request has this post-save command: post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" When looking at the script, we call this for the cert: python3.10/site-packages/ipaserver/install/cainstance.py:1157: def update_cert_config(self, nickname, cert): Which calls that function: python3.10/site-packages/ipaserver/install/dogtaginstance.py:555: def update_cert_cs_cfg(self, directive, cert): But: there is no code to loop over the running services in pki-tomcat as far as I can see. So we update ca/conf/CS.cfg, but not kra/conf/CS.cfg Some related discussions: https://bugzilla.redhat.com/show_bug.cgi?id=1869893 says: 3. Though the subsystems seem to be working without errors so far, we still would like to have copies of the cert in CS.cfg... In future, these redundant copies of cert will be removed from CS.cfg and the code will be altered to retrieve certs from its NSSDB. I've collected the logs of the certificate refresh on freeipa2 and can provide them, but there was no related error as far as I can see. PKI thinks that CA and KRA are enabled in this instance: [pkiuser@freeipa2 ~]$ pki-server status Instance ID: pki-tomcat Active: True Nuxwdog Enabled: False Unsecure Port: 8080 Secure Port: 8443 AJP Port: 8009 Tomcat Port: 8005 CA Subsystem: Type: CA Clone (Security Domain) SD Name: IPA SD Registration URL: https://freeipa2.example.org:8443 Enabled: True Unsecure URL: http://freeipa2.example.org:8080/ca/ee/ca Secure Agent URL: https://freeipa2.example.org:8443/ca/agent/ca Secure EE URL: https://freeipa2.example.org:8443/ca/ee/ca Secure Admin URL: https://freeipa2.example.org:8443/ca/services PKI Console URL: https://freeipa2.example.org:8443/ca KRA Subsystem: Type: KRA SD Name: IPA SD Registration URL: https://freeipa2.example.org:443 Enabled: True Secure Agent URL: https://freeipa2.example.org:8443/kra/agent/kra Secure Admin URL: https://freeipa2.example.org:8443/kra/services PKI Console URL: https://freeipa2.example.org:8443/kra Is my analysis correct? What would be the right fix? Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue