It turns out that also ipa01 (the CA renewal master) has issue: Unable to
communicate with CMS (403)
I found this:
https://www.mail-archive.com/[email protected]/msg12594.html
which mentions both "secret" and "requiredSecret" should be
in /etc/pki/pki-tomcat/server.xml and match.
on ipa01 (VERSION: 4.9.8, API_VERSION: 2.246), I see only "secret"
on ipa02 (VERSION: 4.9.8, API_VERSION: 2.245) I see only "requiredSecret"
Can this be important?
Besides this, I ran ipa-healthcheck on both, the result is in attachment
On Wed, 16 Nov 2022 at 10:46, Roberto Cornacchia <
[email protected]> wrote:
> I also found in the journal:
>
> Nov 16 07:40:11 ipa02.hq.spinque.com certmonger[10967]: 2022-11-16
> 07:40:11 [10967] Running enrollment/cadata helper
> "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit".
> Nov 16 07:40:11 ipa02.hq.spinque.com certmonger[10967]: Error opening
> "/etc/httpd/alias/pwdfile.txt": No such file or directory.
>
>
> On Wed, 16 Nov 2022 at 10:34, Roberto Cornacchia <
> [email protected]> wrote:
>
>> No luck with that, unfortunately:
>>
>> # getcert resubmit -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
>> cert-pki-ca' -v -w
>> No request found that matched arguments.
>>
>> # getcert list
>> Number of certificates and requests being tracked: 0.
>>
>>
>> On Wed, 16 Nov 2022 at 01:40, Rob Crittenden <[email protected]> wrote:
>>
>>> Roberto Cornacchia via FreeIPA-users wrote:
>>> >
>>> > I'm not sure why it was not renewed, but now that it is in this
>>> > state, what would be the correct procedure to renew it?
>>> >
>>> >
>>> > The other IPA server is the CA renewal master and it does have a valid
>>> > certificate.
>>>
>>> The CA subsystem certificates are renewed on the renewal master server
>>> and put into LDAP. The CA clones will pick up the certificates from
>>> there. You can force it to try to fetch it with:
>>>
>>> # getcert resubmit -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
>>> cert-pki-ca' -v -w
>>>
>>> With -v and -w you'll be able to follow along with the progress.
>>>
>>> rob
>>>
>>>
Expired Cert: ocsp_signing
Expired Cert: subsystem
Expired Cert: audit_signing
Internal server error HTTPConnectionPool(host='ipa02.hq.spinque.com',
port=8080): Max retries exceeded with url: /ca/rest/securityDomain/domainInfo
(Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at
0x7fb544361f28>: Failed to establish a new connection: [Errno 111] Connection
refused',))
Internal server error HTTPSConnectionPool(host='ipa02.hq.spinque.com',
port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
0x7fb54422d1d0>: Failed to establish a new connection: [Errno 111] Connection
refused',))
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
[
{
"source": "ipahealthcheck.meta.services",
"check": "ipa_dnskeysyncd",
"result": "ERROR",
"uuid": "428f9e24-cc48-4db2-8600-f7561b191921",
"when": "20221116113421Z",
"duration": "0.010753",
"kw": {
"status": false,
"msg": "ipa-dnskeysyncd: not running"
}
},
{
"source": "ipahealthcheck.meta.services",
"check": "ipa_otpd",
"result": "ERROR",
"uuid": "5e31e2cf-1acf-4432-86ef-a47608f6c73b",
"when": "20221116113421Z",
"duration": "0.010732",
"kw": {
"status": false,
"msg": "ipa-otpd: not running"
}
},
{
"source": "ipahealthcheck.meta.services",
"check": "pki_tomcatd",
"result": "ERROR",
"uuid": "7b28f0b7-9f69-4840-af4a-daf8880ec668",
"when": "20221116113421Z",
"duration": "0.000768",
"kw": {
"status": false,
"msg": "pki_tomcatd: not running"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "49d19a69-32b6-4ed0-9e89-ac71d94aa1ae",
"when": "20221116113421Z",
"duration": "0.160780",
"kw": {
"cert_id": "ocsp_signing",
"expiry_date": "Nov 11 2022",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "b66e5599-328a-47ef-a31a-7333b8e89701",
"when": "20221116113422Z",
"duration": "0.318043",
"kw": {
"cert_id": "subsystem",
"expiry_date": "Nov 11 2022",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "3ebc2eff-021a-4a3a-9c02-3f62d2887c57",
"when": "20221116113422Z",
"duration": "0.394552",
"kw": {
"cert_id": "audit_signing",
"expiry_date": "Nov 11 2022",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.meta.connectivity",
"check": "DogtagCACertsConnectivityCheck",
"result": "CRITICAL",
"uuid": "22171f05-6cca-4493-84fd-ad033dae3409",
"when": "20221116113423Z",
"duration": "0.014606",
"kw": {
"msg": "Internal server error. Is your CA subsystem and LDAP database
up?",
"instance_name": "pki-tomcat",
"exception": "HTTPSConnectionPool(host='ipa02.hq.spinque.com',
port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
0x7fb54422d1d0>: Failed to establish a new connection: [Errno 111] Connection
refused',))"
}
},
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "a09deea7-958f-4937-bd87-08a962258359",
"when": "20221116113423Z",
"duration": "0.266179",
"kw": {
"msg": "Request for certificate failed, cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "c15f9b75-47c4-4408-a92a-36e27017c945",
"when": "20221116113423Z",
"duration": "0.166950",
"kw": {
"key": "DSREPLLE0005",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement
(ipa02.hq.spinque.com-to-ipa03.hq.spinque.com) under
\"dc=hq,dc=spinque,dc=com\" is not in synchronization,\nbecause the consumer
server is not reachable."
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "4a8b76fb-1a2b-4420-ae37-8736fb4a0666",
"when": "20221116113424Z",
"duration": "0.166973",
"kw": {
"key": "DSREPLLE0005",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement
(ipa02.hq.spinque.com-to-ipa03.hq.spinque.com) under \"o=ipaca\" is not in
synchronization,\nbecause the consumer server is not reachable."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "7b66d59b-70a0-40eb-b5d6-3361490c987a",
"when": "20221116113424Z",
"duration": "0.328724",
"kw": {
"key": "cert-file=/var/lib/ipa/ra-agent.pem,
key-file=/var/lib/ipa/ra-agent.key, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/renew_ra_cert_pre,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ra_cert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "5d938181-74bc-48b4-822c-77d6840ee339",
"when": "20221116113424Z",
"duration": "0.330127",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"auditSigningCert cert-pki-ca\", template-profile=caSignedLogCert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "93a3977d-f118-490a-bd83-c2f115c8969c",
"when": "20221116113424Z",
"duration": "0.331468",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=ocspSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
\"ocspSigningCert cert-pki-ca\", template-profile=caOCSPCert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "d07fe28c-1a69-408d-8ec9-aad6e3d1736e",
"when": "20221116113424Z",
"duration": "0.332812",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=subsystemCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"subsystemCert
cert-pki-ca\", template-profile=caSubsystemCert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "a3591351-d6e8-4eda-8369-1202c7734cdf",
"when": "20221116113424Z",
"duration": "0.334141",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCert
cert-pki-ca\", template-profile=caCACert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "4ac27592-1c76-4979-b173-92ab730f203e",
"when": "20221116113424Z",
"duration": "0.335484",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias,
cert-nickname=Server-Cert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent,
cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"Server-Cert
cert-pki-ca\", template-profile=caServerCert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "c27052f3-66b2-43f6-9bc7-816a0749aa41",
"when": "20221116113424Z",
"duration": "0.336819",
"kw": {
"key": "cert-file=/var/lib/ipa/certs/httpd.crt,
key-file=/var/lib/ipa/private/httpd.key, ca-name=IPA,
cert-postsave-command=/usr/libexec/ipa/certmonger/restart_httpd",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "7cd05728-10ff-48d8-8200-e7e1d08835c1",
"when": "20221116113424Z",
"duration": "0.338150",
"kw": {
"key": "cert-database=/etc/dirsrv/slapd-HQ-SPINQUE-COM,
cert-nickname=Server-Cert, ca-name=IPA,
cert-postsave-command=/usr/libexec/ipa/certmonger/restart_dirsrv
HQ-SPINQUE-COM",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "b31b1b25-2909-4547-bc3a-b902e54cbf45",
"when": "20221116113424Z",
"duration": "0.339508",
"kw": {
"key": "cert-file=/var/kerberos/krb5kdc/kdc.crt,
key-file=/var/kerberos/krb5kdc/kdc.key, ca-name=None,
cert-postsave-command=/usr/libexec/ipa/certmonger/renew_kdc_cert",
"msg": "Expected certmonger tracking is missing for {key}. Automated
renewal will not happen for this certificate"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "c4c329d7-a6c5-44ec-8fee-aa65073f2f8d",
"when": "20221116113424Z",
"duration": "0.329118",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "2334edd9-df32-42a9-9cc8-bdc618e5f1ae",
"when": "20221116113424Z",
"duration": "0.330471",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "65dcad1b-47cf-42df-8c5c-5e1290273886",
"when": "20221116113424Z",
"duration": "0.331785",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "66e9c9d4-a88f-4bc9-80c1-4d533694b2ff",
"when": "20221116113424Z",
"duration": "0.333117",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "731366cf-65e1-46b7-8a04-c137527f1f8a",
"when": "20221116113424Z",
"duration": "0.334439",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "3148ff11-498b-48dc-bf58-38682367090c",
"when": "20221116113424Z",
"duration": "0.335765",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "4b7a761a-aba5-4653-9442-6e444e07b8d0",
"when": "20221116113424Z",
"duration": "0.337106",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "d00c9878-0f81-4d75-b4f0-83fe244401d8",
"when": "20221116113424Z",
"duration": "0.338417",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "e5e77586-c5b7-498f-aa84-ea442606b423",
"when": "20221116113424Z",
"duration": "0.339691",
"kw": {
"key": null,
"msg": "Found request id {key} but it is not trackedby certmonger!?"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPAOpenSSLChainValidation",
"result": "ERROR",
"uuid": "217ee434-4c2b-43e6-9fa7-3761c3284eb0",
"when": "20221116113426Z",
"duration": "0.013590",
"kw": {
"key": "/var/lib/ipa/ra-agent.pem",
"reason": "O = HQ.SPINQUE.COM, CN = IPA RA\nerror 10 at 0 depth lookup:
certificate has expired\n",
"msg": "Certificate validation for {key} failed: {reason}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPARAAgent",
"result": "ERROR",
"uuid": "343f2c35-5d69-43f1-a21b-4a01f5be6eb9",
"when": "20221116113426Z",
"duration": "0.026160",
"kw": {
"expected": "2;1610547201;CN=Certificate
Authority,O=HQ.SPINQUE.COM;CN=IPA RA,O=HQ.SPINQUE.COM",
"got": "2;1610547213;CN=Certificate Authority,O=HQ.SPINQUE.COM;CN=IPA
RA,O=HQ.SPINQUE.COM",
"msg": "RA agent description does not match. Found {got} in LDAP and
expected {expected}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "a345c2ae-4a66-484a-9099-7fa65c1b41e5",
"when": "20221116113427Z",
"duration": "0.351179",
"kw": {
"key": null,
"serial": 1610547201,
"error": "cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547201': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "d45b2b0f-d0ae-4ec9-a11a-9acf86524572",
"when": "20221116113427Z",
"duration": "0.405761",
"kw": {
"key": null,
"serial": 1610547204,
"error": "cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547204': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "e5053f4b-9f70-4e84-9c27-f50321523163",
"when": "20221116113427Z",
"duration": "0.462256",
"kw": {
"key": null,
"serial": 1610547203,
"error": "cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547203': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "b15253d7-9235-45be-8fbf-49154959bb18",
"when": "20221116113427Z",
"duration": "0.517687",
"kw": {
"key": null,
"serial": 1610547202,
"error": "cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547202': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "97d76838-5cf6-4d6e-960b-269f4eb955f4",
"when": "20221116113427Z",
"duration": "0.572890",
"kw": {
"key": null,
"serial": 1,
"error": "cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c8c52c5f-f0a0-4232-bebf-e485e44490ce",
"when": "20221116113427Z",
"duration": "0.628354",
"kw": {
"key": null,
"serial": 1610547208,
"error": "cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547208': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "73f064ef-c4a2-4597-9646-0fda4eb59a19",
"when": "20221116113427Z",
"duration": "0.643545",
"kw": {
"key": null,
"serial": 1610547207,
"error": "cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547207': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "06897905-b5da-441c-96b7-7adbaf338ca1",
"when": "20221116113427Z",
"duration": "0.700798",
"kw": {
"key": null,
"serial": 1610547206,
"error": "cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547206': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "902cf106-d105-47bf-a0fe-7312d8a99553",
"when": "20221116113427Z",
"duration": "0.715412",
"kw": {
"key": null,
"serial": 1610547209,
"error": "cannot connect to
'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547209': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerCA",
"result": "ERROR",
"uuid": "0d4b5f20-c3bd-464c-a964-058e383aaf78",
"when": "20221116113427Z",
"duration": "0.003946",
"kw": {
"key": "dogtag-ipa-ca-renew-agent",
"msg": "Certmonger CA '{key}' missing"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerCA",
"result": "ERROR",
"uuid": "af8eca3d-5d18-4afe-83aa-96f7ddd84087",
"when": "20221116113427Z",
"duration": "0.005468",
"kw": {
"key": "dogtag-ipa-ca-renew-agent-reuse",
"msg": "Certmonger CA '{key}' missing"
}
},
{
"source": "ipahealthcheck.ipa.dna",
"check": "IPADNARangeCheck",
"result": "WARNING",
"uuid": "bc767f75-2810-4f0b-881b-2eb3c63bf818",
"when": "20221116113427Z",
"duration": "0.265330",
"kw": {
"range_start": 0,
"range_max": 0,
"next_start": 0,
"next_max": 0,
"msg": "No DNA range defined. If no masters define a range then users and
groups cannot be created."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b9f40c81-9da4-43ca-9b3c-3b5e1361d6bc",
"when": "20221116113427Z",
"duration": "0.041334",
"kw": {
"msg": "Got {count} ipa-ca A records, expected {expected}",
"count": 1,
"expected": 2
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "WARNING",
"uuid": "7e3bc7e8-2c03-477c-bce5-65002f787ed4",
"when": "20221116113427Z",
"duration": "0.009593",
"kw": {
"key": "_var_log_ipaupgrade.log_mode",
"path": "/var/log/ipaupgrade.log",
"type": "mode",
"expected": "0600",
"got": "0644",
"msg": "Permissions of /var/log/ipaupgrade.log are too permissive: 0644
and should be 0600"
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "WARNING",
"uuid": "917f4b06-3379-4d4d-80be-f7224ad8053f",
"when": "20221116113427Z",
"duration": "0.010298",
"kw": {
"key": "_var_log_kadmind.log_mode",
"path": "/var/log/kadmind.log",
"type": "mode",
"expected": "0600",
"got": "0640",
"msg": "Permissions of /var/log/kadmind.log are too permissive: 0640 and
should be 0600"
}
}
]
Internal server error 403 Client Error: 403 for url:
http://ipa01.hq.spinque.com:80/ca/rest/securityDomain/domainInfo
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA
REST API: 403. (403)
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "1622e91f-c41c-4fbe-8a93-3e46ab824dd5",
"when": "20221116113450Z",
"duration": "0.202681",
"kw": {
"msg": "Request for certificate failed, Certificate operation cannot be
completed: Request failed with status 403: Non-2xx response from CA REST API:
403. (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "aa8d51c5-edde-4f8f-a56a-9f9a424e3dc6",
"when": "20221116113455Z",
"duration": "0.512292",
"kw": {
"key": "20210624135015",
"serial": 1610547213,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "f32f9960-03d4-43e0-be9d-de1bfbf7ea4e",
"when": "20221116113455Z",
"duration": "0.613556",
"kw": {
"key": "20210624135010",
"serial": 1610547216,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "6e9e96fa-46ed-4201-aaf9-8c167e8b9325",
"when": "20221116113455Z",
"duration": "0.713730",
"kw": {
"key": "20210624135011",
"serial": 1610547215,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "7887eb1c-ee79-42bb-bbe7-83f6b20c0385",
"when": "20221116113455Z",
"duration": "0.814992",
"kw": {
"key": "20210624135012",
"serial": 1610547214,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "1374815b-f62d-42e3-b6ca-99a222f6ccc7",
"when": "20221116113455Z",
"duration": "0.918946",
"kw": {
"key": "20210624135013",
"serial": 1,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "6c7b4e82-09ce-45e1-8a8b-231d7be0a178",
"when": "20221116113456Z",
"duration": "1.022137",
"kw": {
"key": "20210624135014",
"serial": 1610547210,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "1bed5091-6351-4d5e-b92d-a658a6decb53",
"when": "20221116113456Z",
"duration": "1.078608",
"kw": {
"key": "20210624135017",
"serial": 1610547205,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c0e33965-1be7-48ca-8199-91fa35e7ca63",
"when": "20221116113456Z",
"duration": "1.178624",
"kw": {
"key": "20210624135016",
"serial": 1610547211,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "5f4af083-5e0f-4b88-a1f0-1e42e2084b5b",
"when": "20221116113456Z",
"duration": "1.234213",
"kw": {
"key": "20200729161416",
"serial": 1610547212,
"error": "Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "2783e8ac-2191-401f-a36e-069a23097b61",
"when": "20221116113456Z",
"duration": "0.033869",
"kw": {
"msg": "Got {count} ipa-ca A records, expected {expected}",
"count": 1,
"expected": 2
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "WARNING",
"uuid": "40c22923-b80f-41ae-b326-c819cdfb0591",
"when": "20221116113456Z",
"duration": "0.001666",
"kw": {
"key": "_var_log_ipaupgrade.log_mode",
"path": "/var/log/ipaupgrade.log",
"type": "mode",
"expected": "0600",
"got": "0644",
"msg": "Permissions of /var/log/ipaupgrade.log are too permissive: 0644
and should be 0600"
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "WARNING",
"uuid": "5f6efdfe-8994-445d-985e-30a5d49dd326",
"when": "20221116113456Z",
"duration": "0.001897",
"kw": {
"key": "_var_log_kadmind.log_mode",
"path": "/var/log/kadmind.log",
"type": "mode",
"expected": "0600",
"got": "0640",
"msg": "Permissions of /var/log/kadmind.log are too permissive: 0640 and
should be 0600"
}
}
]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
