Hi, Florence Blanc-Renaud via FreeIPA-users <[email protected]> writes:
> Hi, > > On Wed, Nov 16, 2022 at 9:54 AM Jochen Kellner via FreeIPA-users < > [email protected]> wrote: > >> >> Hello, >> >> On 2022-11-16 two of my four IPA server have this healthcheck error: >> >> freeipa1, freeipa2: >> >> { >> "source": "pki.server.healthcheck.meta.csconfig", >> "check": "KRADogtagCertsConfigCheck", ... >> When looking at the script, we call this for the cert: >> python3.10/site-packages/ipaserver/install/cainstance.py:1157: >> def update_cert_config(self, nickname, cert): >> >> Which calls that function: >> python3.10/site-packages/ipaserver/install/dogtaginstance.py:555: >> def update_cert_cs_cfg(self, directive, cert): >> >> But: there is no code to loop over the running services in pki-tomcat as >> far as I can see. So we update ca/conf/CS.cfg, but not kra/conf/CS.cfg >> > Thanks for the detailed description, you completely nailed it. > The post-save command does not update the certificate in the > kra/conf/CS.cfg file but you can manually fix it. You're welcome. > Extract the new certificate from the NSS database, remove the header and > footer and print it on a single line: > # certutil -L -d /etc/pki/pki-tomcat/alias/ -n "Server-Cert cert-pki-ca" -a > | tail -n +2 | head -n -1 | tr -d '\r\n' I hope it will be fixed before the next certs expire :-) But if not, here's my take in ansible to fix it when needed: - name: fetch ca.sslserver.cert from /var/lib/pki/pki-tomcat/ca/conf/CS.cfg ansible.builtin.command: cmd: awk -F '=' '/^ca.sslserver.cert=/ { print $2 }' /var/lib/pki/pki-tomcat/ca/conf/CS.cfg register: ca_sslserver_cert check_mode: false changed_when: false - name: fetch kra.sslserver.cert= from /var/lib/pki/pki-tomcat/kra/conf/CS.cfg ansible.builtin.command: cmd: awk -F '=' '/^kra.sslserver.cert=/ { print $2 }' /var/lib/pki/pki-tomcat/kra/conf/CS.cfg register: kra_sslserver_cert check_mode: false changed_when: false - name: fix ipa-healthcheck, KRADogtagCertsConfigCheck ansible.builtin.lineinfile: dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg # regexp: '^hosts: (.*)\s*\smyhostname(\s.*)$' regexp: '^kra.sslserver.cert=' line: 'kra.sslserver.cert={{ ca_sslserver_cert.stdout }}' owner: pkiuser group: pkiuser mode: '0660' backup: true when: ca_sslserver_cert.stdout != kra_sslserver_cert.stdout notify: restart pki-tomcat > Could you open a ticket against freeipa at https://pagure.io/freeipa/issues > so that we fix the post-save command? It looks like it doesn't take into > account the KRA certificates. I've opened that ticket: https://pagure.io/freeipa/issue/9277 Thanks for your confirmation, Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
