Hello,
On 2022-11-16 two of my four IPA server have this healthcheck error:
freeipa1, freeipa2:
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "KRADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005",
"when": "20221116030029Z",
"duration": "0.024925",
"kw": {
"key": "kra_sslserver",
"nickname": "Server-Cert cert-pki-ca",
"directive": "kra.sslserver.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value of
kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
},
The servers freeipa1-3 are Fedora 36, freeipa4 is Fedora 37 - all uptodate.
All files /var/lib/pki/pki-tomcat/kra/conf/CS.cfg have changed last
in Nov/Dec 2021. Most likely due to me looking at that issue and only
"fixing" the error but not investigating the root cause. Let's see if we
can remedy that.
On freeipa1, the "Server-Cert cert-pki-ca" has been refreshed on 2022-11-13
15:27:35 CET.
On freeipa2, the "Server-Cert cert-pki-ca" has been refreshed on 2022-11-11
15:22:12 CET.
The certificates on freeipa3 and freeipa4 will be refreshed in Nov 2023.
On freeipa2 there are these CS.cfg files:
[root@freeipa2 ~]# ls -l /var/lib/pki/pki-tomcat/*/conf/CS.cfg
-rw-rw----. 1 pkiuser pkiuser 85469 11. Nov 15:22
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg
-rw-rw----. 1 pkiuser pkiuser 34418 18. Nov 2021
/var/lib/pki/pki-tomcat/kra/conf/CS.cfg
So it looks like the helper only refreshed the cert in ca, not on kra.
The certificate request has this post-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
When looking at the script, we call this for the cert:
python3.10/site-packages/ipaserver/install/cainstance.py:1157:
def update_cert_config(self, nickname, cert):
Which calls that function:
python3.10/site-packages/ipaserver/install/dogtaginstance.py:555:
def update_cert_cs_cfg(self, directive, cert):
But: there is no code to loop over the running services in pki-tomcat as
far as I can see. So we update ca/conf/CS.cfg, but not kra/conf/CS.cfg
Some related discussions:
https://bugzilla.redhat.com/show_bug.cgi?id=1869893 says:
3. Though the subsystems seem to be working without errors so far, we
still would like to have copies of the cert in CS.cfg... In future,
these redundant copies of cert will be removed from CS.cfg and the code
will be altered to retrieve certs from its NSSDB.
I've collected the logs of the certificate refresh on freeipa2 and can
provide them, but there was no related error as far as I can see.
PKI thinks that CA and KRA are enabled in this instance:
[pkiuser@freeipa2 ~]$ pki-server status
Instance ID: pki-tomcat
Active: True
Nuxwdog Enabled: False
Unsecure Port: 8080
Secure Port: 8443
AJP Port: 8009
Tomcat Port: 8005
CA Subsystem:
Type: CA Clone (Security Domain)
SD Name: IPA
SD Registration URL: https://freeipa2.example.org:8443
Enabled: True
Unsecure URL: http://freeipa2.example.org:8080/ca/ee/ca
Secure Agent URL: https://freeipa2.example.org:8443/ca/agent/ca
Secure EE URL: https://freeipa2.example.org:8443/ca/ee/ca
Secure Admin URL: https://freeipa2.example.org:8443/ca/services
PKI Console URL: https://freeipa2.example.org:8443/ca
KRA Subsystem:
Type: KRA
SD Name: IPA
SD Registration URL: https://freeipa2.example.org:443
Enabled: True
Secure Agent URL: https://freeipa2.example.org:8443/kra/agent/kra
Secure Admin URL: https://freeipa2.example.org:8443/kra/services
PKI Console URL: https://freeipa2.example.org:8443/kra
Is my analysis correct? What would be the right fix?
Jochen
--
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
