Hi,
On Wed, Nov 16, 2022 at 9:54 AM Jochen Kellner via FreeIPA-users <
[email protected]> wrote:
>
> Hello,
>
> On 2022-11-16 two of my four IPA server have this healthcheck error:
>
> freeipa1, freeipa2:
>
> {
> "source": "pki.server.healthcheck.meta.csconfig",
> "check": "KRADogtagCertsConfigCheck",
> "result": "ERROR",
> "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005",
> "when": "20221116030029Z",
> "duration": "0.024925",
> "kw": {
> "key": "kra_sslserver",
> "nickname": "Server-Cert cert-pki-ca",
> "directive": "kra.sslserver.cert",
> "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
> "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the
> value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
> }
> },
>
> The servers freeipa1-3 are Fedora 36, freeipa4 is Fedora 37 - all uptodate.
>
> All files /var/lib/pki/pki-tomcat/kra/conf/CS.cfg have changed last
> in Nov/Dec 2021. Most likely due to me looking at that issue and only
> "fixing" the error but not investigating the root cause. Let's see if we
> can remedy that.
>
> On freeipa1, the "Server-Cert cert-pki-ca" has been refreshed on
> 2022-11-13 15:27:35 CET.
> On freeipa2, the "Server-Cert cert-pki-ca" has been refreshed on
> 2022-11-11 15:22:12 CET.
>
> The certificates on freeipa3 and freeipa4 will be refreshed in Nov 2023.
>
> On freeipa2 there are these CS.cfg files:
> [root@freeipa2 ~]# ls -l /var/lib/pki/pki-tomcat/*/conf/CS.cfg
> -rw-rw----. 1 pkiuser pkiuser 85469 11. Nov 15:22
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> -rw-rw----. 1 pkiuser pkiuser 34418 18. Nov 2021
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
>
> So it looks like the helper only refreshed the cert in ca, not on kra.
> The certificate request has this post-save command:
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "Server-Cert cert-pki-ca"
>
> When looking at the script, we call this for the cert:
> python3.10/site-packages/ipaserver/install/cainstance.py:1157:
> def update_cert_config(self, nickname, cert):
>
> Which calls that function:
> python3.10/site-packages/ipaserver/install/dogtaginstance.py:555:
> def update_cert_cs_cfg(self, directive, cert):
>
> But: there is no code to loop over the running services in pki-tomcat as
> far as I can see. So we update ca/conf/CS.cfg, but not kra/conf/CS.cfg
>
> Some related discussions:
> https://bugzilla.redhat.com/show_bug.cgi?id=1869893 says:
>
> 3. Though the subsystems seem to be working without errors so far, we
> still would like to have copies of the cert in CS.cfg... In future,
> these redundant copies of cert will be removed from CS.cfg and the code
> will be altered to retrieve certs from its NSSDB.
>
> I've collected the logs of the certificate refresh on freeipa2 and can
> provide them, but there was no related error as far as I can see.
>
> PKI thinks that CA and KRA are enabled in this instance:
>
> [pkiuser@freeipa2 ~]$ pki-server status
> Instance ID: pki-tomcat
> Active: True
> Nuxwdog Enabled: False
> Unsecure Port: 8080
> Secure Port: 8443
> AJP Port: 8009
> Tomcat Port: 8005
>
> CA Subsystem:
> Type: CA Clone (Security Domain)
> SD Name: IPA
> SD Registration URL: https://freeipa2.example.org:8443
> Enabled: True
> Unsecure URL: http://freeipa2.example.org:8080/ca/ee/ca
> Secure Agent URL: https://freeipa2.example.org:8443/ca/agent/ca
> Secure EE URL: https://freeipa2.example.org:8443/ca/ee/ca
> Secure Admin URL: https://freeipa2.example.org:8443/ca/services
> PKI Console URL: https://freeipa2.example.org:8443/ca
>
> KRA Subsystem:
> Type: KRA
> SD Name: IPA
> SD Registration URL: https://freeipa2.example.org:443
> Enabled: True
> Secure Agent URL: https://freeipa2.example.org:8443/kra/agent/kra
> Secure Admin URL: https://freeipa2.example.org:8443/kra/services
> PKI Console URL: https://freeipa2.example.org:8443/kra
>
> Is my analysis correct? What would be the right fix?
>
Thanks for the detailed description, you completely nailed it.
The post-save command does not update the certificate in the
kra/conf/CS.cfg file but you can manually fix it.
Extract the new certificate from the NSS database, remove the header and
footer and print it on a single line:
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n "Server-Cert cert-pki-ca" -a
| tail -n +2 | head -n -1 | tr -d '\r\n'
The above command provides you with the pem cert that you can copy-paste
into /var/lib/pki/pki-tomcat/kra/conf/CS.cfg: replace the line
kra.sslserver.cert=MII....
with the new value:
kra.sslserver.cert=<new value from certutil command>
After that, the ipa-healthcheck warning should not appear any more.
Could you open a ticket against freeipa at https://pagure.io/freeipa/issues
so that we fix the post-save command? It looks like it doesn't take into
account the KRA certificates.
Thanks.
flo
> Jochen
>
> --
> This space is intentionally left blank.
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
