[Freeipa-users] Re: Health check issues

[Rob Crittenden via FreeIPA-users]

Alex Corcoles via FreeIPA-users wrote:
> Hi all,
> 
> Sorry I didn't keep track of this more accurately. Some time ago, the 
> ipa-healthcheck service started failing (September 23rd, I think). I took a 
> look, and IIRC, it said something like some certs were about to expire. I 
> ignored that (because they renew automatically?). But then I checked some 
> time after that, and ipa-healthcheck started reporting:

I'd start by verifying that the certificates indeed did renew.

> 
> [
>   {
>     "source": "pki.server.healthcheck.meta.csconfig",
>     "check": "CADogtagCertsConfigCheck",
>     "result": "ERROR",
>     "uuid": "af584c7d-6288-4848-acf8-9e59946e298b",
>     "when": "20231004180708Z",
>     "duration": "0.093486",
>     "kw": {
>       "key": "ca_audit_signing",
>       "nickname": "auditSigningCert cert-pki-ca",
>       "directive": "ca.audit_signing.cert",
>       "configfile": "/etc/pki/pki-tomcat/ca/CS.cfg",
>       "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the 
> value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg"
>     }
>   },
>   {
>     "source": "ipahealthcheck.dogtag.ca",
>     "check": "DogtagCertsConfigCheck",
>     "result": "ERROR",
>     "uuid": "94d21af1-63d1-4bc8-80ff-dc974b3bafc2",
>     "when": "20231004180708Z",
>     "duration": "0.401906",
>     "kw": {
>       "key": "auditSigningCert cert-pki-ca",
>       "directive": "ca.audit_signing.cert",
>       "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
>       "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the 
> value of ca.audit_signing.cert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
>     }
>   }
> ]
> 
> I suppose the automatic renewal process went awry? I have seen messages on 
> this list with similar errors, but the path forward does not seem clear to me.

There is some disagreement whether CS.cfg being updated is important or
not. The PKI team is looking into this now. If you really want to update
it you can get the base64 blob:

# certutil -L -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert
cert-pki-ca' -a

Then stop pki-tomcat@pki-tomcatd, update the mentioned blob in CS.cfg,
and restart tomcat.

rob
> 
> I'm running:
> 
> ipa-healthcheck-0.12-1.el9.noarch
> ipa-healthcheck-core-0.12-1.el9.noarch
> ipa-server-4.10.1-9.el9_2.x86_64
> 
> Coincidentally, some updates went out around those dates:
> 
> 2023-08-26T06:56:04+0000 SUBDEBUG Upgraded: 
> ipa-server-dns-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-7.el9_2.x86_64
> 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: 
> python3-ipaserver-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-7.el9_2.x86_64
> 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: 
> python3-ipaclient-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: 
> python3-ipalib-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: 
> ipa-server-common-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: 
> ipa-client-common-4.10.1-7.el9_2.noarch
> 2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-7.el9_2.noarch
> 2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: 
> ipa-server-dns-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-8.el9_2.x86_64
> 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: 
> python3-ipaserver-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-8.el9_2.x86_64
> 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: 
> python3-ipaclient-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: 
> python3-ipalib-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: 
> ipa-server-common-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: 
> ipa-client-common-4.10.1-8.el9_2.noarch
> 2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-8.el9_2.noarch
> 
> Any thoughts?
> 
> Thanks,
> 
> Álex
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue