Given how early it failed it doesn't look like it actually did any
configuration except some basic setup of the security domain.
IPA determines whether a KRA is configured by running:
# pki-server subsystem-show kra
In your current state I'd expect the output to be:
Subsystem ID: kra
Instance ID: pki-tomcat
Enabled: True
You should be able to remove it with:
# pkidestroy -s KRA -i pki-tomcat
To confirm it's gone re-run the pki-server command and you should see:
ERROR: ERROR: No kra subsystem in instance pki-tomcat.
rob
Martin Jackson via FreeIPA-users wrote:
>>
>> Do you have the original log from installing that KRA?
>
> I've attached it.
>
>> What healthcheck errors are you seeing?
>
> The "unexpected cert" warnings are of long standing and are because I
> have certmonger-managed certs for cockpit on the controller. The others
> seem to be KRA-related:
>
> Unable to retrieve cert: transportCert cert-pki-kra
> Unable to retrieve cert: storageCert cert-pki-kra
> Unable to retrieve cert: auditSigningCert cert-pki-kra
> [
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertTracking",
> "result": "ERROR",
> "uuid": "fab3c57d-a8a0-40dc-bc19-a61e7a4d89e2",
> "when": "20230407183208Z",
> "duration": "0.668865",
> "kw": {
> "key": "cert-database=/etc/pki/pki-tomcat/alias,
> cert-nickname=auditSigningCert cert-pki-kra,
> ca-name=dogtag-ipa-ca-renew-agent,
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> \"auditSigningCert cert-pki-kra\", template-profile=caAuditSigningCert",
> "msg": "Expected certmonger tracking is missing for {key}. Automated
> renewal will not happen for this certificate"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertTracking",
> "result": "ERROR",
> "uuid": "771f3f3c-c097-4efc-b649-39ca883e4990",
> "when": "20230407183208Z",
> "duration": "0.697353",
> "kw": {
> "key": "cert-database=/etc/pki/pki-tomcat/alias,
> cert-nickname=transportCert cert-pki-kra,
> ca-name=dogtag-ipa-ca-renew-agent,
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> \"transportCert cert-pki-kra\", template-profile=caTransportCert",
> "msg": "Expected certmonger tracking is missing for {key}. Automated
> renewal will not happen for this certificate"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertTracking",
> "result": "ERROR",
> "uuid": "45d65f75-86f2-4e69-b62a-968dcadfe933",
> "when": "20230407183208Z",
> "duration": "0.725562",
> "kw": {
> "key": "cert-database=/etc/pki/pki-tomcat/alias,
> cert-nickname=storageCert cert-pki-kra,
> ca-name=dogtag-ipa-ca-renew-agent,
> cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad,
> cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert
> \"storageCert cert-pki-kra\", template-profile=caStorageCert",
> "msg": "Expected certmonger tracking is missing for {key}. Automated
> renewal will not happen for this certificate"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertTracking",
> "result": "WARNING",
> "uuid": "0147b205-ea93-45dd-b4ee-2e5137031c6f",
> "when": "20230407183208Z",
> "duration": "0.813082",
> "kw": {
> "key": "20210927043555",
> "msg": "certmonger tracking request {key} found and is not expected on
> an IPA master."
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertNSSTrust",
> "result": "ERROR",
> "uuid": "d928b9ed-a59f-46f0-94bc-1cee3915c945",
> "when": "20230407183209Z",
> "duration": "0.293241",
> "kw": {
> "key": "transportCert cert-pki-kra",
> "nickname": "transportCert cert-pki-kra",
> "dbdir": "/etc/pki/pki-tomcat/alias",
> "msg": "Certificate {nickname} missing from {dbdir} while verifying trust"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertNSSTrust",
> "result": "ERROR",
> "uuid": "27073a02-8378-4b54-9434-978496bc3ef4",
> "when": "20230407183209Z",
> "duration": "0.293253",
> "kw": {
> "key": "storageCert cert-pki-kra",
> "nickname": "storageCert cert-pki-kra",
> "dbdir": "/etc/pki/pki-tomcat/alias",
> "msg": "Certificate {nickname} missing from {dbdir} while verifying trust"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertNSSTrust",
> "result": "ERROR",
> "uuid": "7506a8c2-2cc0-4ac6-8deb-a6a71a54023c",
> "when": "20230407183209Z",
> "duration": "0.293279",
> "kw": {
> "key": "auditSigningCert cert-pki-kra",
> "nickname": "auditSigningCert cert-pki-kra",
> "dbdir": "/etc/pki/pki-tomcat/alias",
> "msg": "Certificate {nickname} missing from {dbdir} while verifying trust"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPADogtagCertsMatchCheck",
> "result": "CRITICAL",
> "uuid": "fb12bf41-4fc0-4b7c-8e58-a014ce47c525",
> "when": "20230407183210Z",
> "duration": "0.593639",
> "kw": {
> "exception": "no matching entry found",
> "traceback": "Traceback (most recent call last):\n File
> \"/usr/lib/python3.11/site-packages/ipahealthcheck/core/core.py\", line
> 56, in run_plugin\n for result in plugin.check():\n File
> \"/usr/lib/python3.11/site-packages/ipahealthcheck/core/plugin.py\",
> line 18, in wrapper\n for result in f(*args, **kwds):\n File
> \"/usr/lib/python3.11/site-packages/ipahealthcheck/ipa/certs.py\", line
> 901, in check\n ipaca_certs_ok = yield from
> match_ldap_nss_certs_by_subject(\n
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File
> \"/usr/lib/python3.11/site-packages/ipahealthcheck/ipa/certs.py\", line
> 828, in match_ldap_nss_certs_by_subject\n entries = ldap.get_entries(\n
> ^^^^^^^^^^^^^^^^^\n File
> \"/usr/lib/python3.11/site-packages/ipapython/ipaldap.py\", line 1453,
> in get_entries\n entries, truncated = self.find_entries(\n
> ^^^^^^^^^^^^^^^^^^\n File
> \"/usr/lib/python3.11/site-packages/ipapython/ipaldap.py\", line 1597,
> in find_entries\n raise errors.EmptyResult(reason='no matching entry
> found')\nipalib.errors.EmptyResult: no matching entry found\n"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPAKRAAgent",
> "result": "ERROR",
> "uuid": "7fa1fca0-0678-4872-ba2c-e3a60787d47e",
> "when": "20230407183210Z",
> "duration": "0.265466",
> "kw": {
> "key": "KRA",
> "description": "2;805240873;CN=Certificate
> Authority,O=IMLADRIS.LAN;CN=IPA RA,O=IMLADRIS.LAN",
> "msg": "KRA agent not found in LDAP"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertRevocation",
> "result": "ERROR",
> "uuid": "99ce4f5c-0e92-44d8-8dd6-cccb25fcb7c0",
> "when": "20230407183212Z",
> "duration": "1.502588",
> "kw": {
> "key": null,
> "dbdir": "/etc/pki/pki-tomcat/alias",
> "nickname": "auditSigningCert cert-pki-kra",
> "error": "Failed to get auditSigningCert cert-pki-kra",
> "msg": "Unable to retrieve certificate '{nickname}' from {dbdir}: {error}"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertRevocation",
> "result": "ERROR",
> "uuid": "5ad72560-7441-4099-a674-1413571b94a5",
> "when": "20230407183212Z",
> "duration": "1.563678",
> "kw": {
> "key": null,
> "dbdir": "/etc/pki/pki-tomcat/alias",
> "nickname": "transportCert cert-pki-kra",
> "error": "Failed to get transportCert cert-pki-kra",
> "msg": "Unable to retrieve certificate '{nickname}' from {dbdir}: {error}"
> }
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertRevocation",
> "result": "ERROR",
> "uuid": "3d9adf37-cdea-46bf-89f0-cd101fee4afc",
> "when": "20230407183212Z",
> "duration": "1.624445",
> "kw": {
> "key": null,
> "dbdir": "/etc/pki/pki-tomcat/alias",
> "nickname": "storageCert cert-pki-kra",
> "error": "Failed to get storageCert cert-pki-kra",
> "msg": "Unable to retrieve certificate '{nickname}' from {dbdir}: {error}"
> }
> },
> {
> "source": "ipahealthcheck.system.filesystemspace",
> "check": "FileSystemSpaceCheck",
> "result": "ERROR",
> "uuid": "a46d2101-3274-4c90-81d0-1b02d94a7d4c",
> "when": "20230407183217Z",
> "duration": "0.000118",
> "kw": {
> "key": "/var/lib/dirsrv/",
> "msg": "/var/lib/dirsrv/: free space percentage under threshold: 18% < 20%",
> "store": "/var/lib/dirsrv/",
> "percent_free": 18,
> "threshold": 20
> }
> },
> {
> "source": "ipahealthcheck.system.filesystemspace",
> "check": "FileSystemSpaceCheck",
> "result": "ERROR",
> "uuid": "b1743dac-757d-4718-9134-1bdb0cb995aa",
> "when": "20230407183217Z",
> "duration": "0.000174",
> "kw": {
> "key": "/var/lib/ipa/backup/",
> "msg": "/var/lib/ipa/backup/: free space percentage under threshold: 18%
> < 20%",
> "store": "/var/lib/ipa/backup/",
> "percent_free": 18,
> "threshold": 20
> }
> },
> {
> "source": "ipahealthcheck.system.filesystemspace",
> "check": "FileSystemSpaceCheck",
> "result": "ERROR",
> "uuid": "73d75a7e-cab1-4642-b243-9ea1b6d5e2df",
> "when": "20230407183217Z",
> "duration": "0.000216",
> "kw": {
> "key": "/var/log/",
> "msg": "/var/log/: free space percentage under threshold: 18% < 20%",
> "store": "/var/log/",
> "percent_free": 18,
> "threshold": 20
> }
> },
> {
> "source": "ipahealthcheck.system.filesystemspace",
> "check": "FileSystemSpaceCheck",
> "result": "ERROR",
> "uuid": "944f2056-4954-4bfe-a901-3955bfb9e4d5",
> "when": "20230407183217Z",
> "duration": "0.000258",
> "kw": {
> "key": "/var/tmp/",
> "msg": "/var/tmp/: free space percentage under threshold: 18% < 20%",
> "store": "/var/tmp/",
> "percent_free": 18,
> "threshold": 20
> }
> },
> {
> "source": "pki.server.healthcheck.certs.expiration",
> "check": "KRASystemCertExpiryCheck",
> "result": "ERROR",
> "uuid": "76cc6843-d47f-4879-a9c4-92e5fdb7ffcf",
> "when": "20230407183217Z",
> "duration": "0.033473",
> "kw": {
> "cert_id": "transport",
> "msg": "Unable to get cert's expiry date"
> }
> },
> {
> "source": "pki.server.healthcheck.certs.expiration",
> "check": "KRASystemCertExpiryCheck",
> "result": "ERROR",
> "uuid": "92e25850-578c-41eb-80e3-09eeb6538275",
> "when": "20230407183217Z",
> "duration": "0.064507",
> "kw": {
> "cert_id": "storage",
> "msg": "Unable to get cert's expiry date"
> }
> },
> {
> "source": "pki.server.healthcheck.certs.expiration",
> "check": "KRASystemCertExpiryCheck",
> "result": "ERROR",
> "uuid": "9c57f4a9-c5e8-4851-bcb2-8fea3ada13ce",
> "when": "20230407183218Z",
> "duration": "0.221997",
> "kw": {
> "cert_id": "audit_signing",
> "msg": "Unable to get cert's expiry date"
> }
> },
> {
> "source": "pki.server.healthcheck.certs.trustflags",
> "check": "KRASystemCertTrustFlagCheck",
> "result": "ERROR",
> "uuid": "7c7a968c-1337-4aac-bf2a-fc376207cd3d",
> "when": "20230407183218Z",
> "duration": "0.066155",
> "kw": {
> "key": "transport",
> "nssdbDir": "/etc/pki/pki-tomcat/alias",
> "msg": "Unable to load cert from NSSDB: 'NoneType' object has no
> attribute 'group'"
> }
> },
> {
> "source": "pki.server.healthcheck.certs.trustflags",
> "check": "KRASystemCertTrustFlagCheck",
> "result": "ERROR",
> "uuid": "acb8c421-553c-4aea-9f3d-44df6de45bd2",
> "when": "20230407183218Z",
> "duration": "0.128915",
> "kw": {
> "key": "storage",
> "nssdbDir": "/etc/pki/pki-tomcat/alias",
> "msg": "Unable to load cert from NSSDB: 'NoneType' object has no
> attribute 'group'"
> }
> },
> {
> "source": "pki.server.healthcheck.certs.trustflags",
> "check": "KRASystemCertTrustFlagCheck",
> "result": "ERROR",
> "uuid": "29122bb0-5f70-4cf4-9999-bb67ffd4c32e",
> "when": "20230407183218Z",
> "duration": "0.384702",
> "kw": {
> "key": "audit_signing",
> "nssdbDir": "/etc/pki/pki-tomcat/alias",
> "msg": "Unable to load cert from NSSDB: 'NoneType' object has no
> attribute 'group'"
> }
> },
> {
> "source": "pki.server.healthcheck.meta.connectivity",
> "check": "DogtagKRAConnectivityCheck",
> "result": "ERROR",
> "uuid": "66ff4f8e-76fd-4e49-917c-22a2d9a36869",
> "when": "20230407183220Z",
> "duration": "0.118461",
> "kw": {
> "msg": "KRA server is up. But, unable to retrieve transport cert",
> "serverURI": "https://localhost:8443";,
> "rest_path": "/ca/rest/config/cert"
> }
> }
> ]
>
> --
>
> Martin Jackson <[email protected] <mailto:[email protected]>>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
