Jochen Kellner via FreeIPA-users wrote:
> Alex Corcoles via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> writes:
>
>> Hi all,
>>
>> Sorry I didn't keep track of this more accurately. Some time ago, the
>> ipa-healthcheck service started failing (September 23rd, I think). I
>> took a look, and IIRC, it said something like some certs were about to
>> expire. I ignored that (because they renew automatically?). But then I
>> checked some time after that, and ipa-healthcheck started reporting:
> ...
>> "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the
>> value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg"
> ...
>> Any thoughts?
>
> This looks similar to
> https://pagure.io/freeipa/issue/9277
> https://github.com/dogtagpki/pki/issues/2157
The KRA values are definitely not being updated. That shouldn't be the
case for the CA values.
rob
>
> I've used this play to fix my system:
> ---
> # file: freeipa-fixes.yml
> - name: Fix problems in IPA installations or configurations after install /
> postinstall or later
> hosts:
> - ipaservers
> become: true
>
> tasks:
> # ...
> # Another healthcheck fix: when the PKI server certificate is renewed
> # the new certificate is written to /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
> # It needs to be in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg too.
> # {
> # "source": "pki.server.healthcheck.meta.csconfig",
> # "check": "KRADogtagCertsConfigCheck",
> # "result": "ERROR",
> # "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005",
> # "when": "20221116030029Z",
> # "duration": "0.024925",
> # "kw": {
> # "key": "kra_sslserver",
> # "nickname": "Server-Cert cert-pki-ca",
> # "directive": "kra.sslserver.cert",
> # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
> # "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value
> # of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
> # }
> # },
> # This is likely a bug in /usr/libexec/ipa/certmonger/renew_ca_cert
> - name: Fetch ca.sslserver.cert from /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> ansible.builtin.command:
> cmd: awk -F '=' '/^ca.sslserver.cert=/ { print $2 }'
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> register: ca_sslserver_cert
> check_mode: false
> changed_when: false
>
> - name: Fetch kra.sslserver.cert= from
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> ansible.builtin.command:
> cmd: awk -F '=' '/^kra.sslserver.cert=/ { print $2 }'
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> register: kra_sslserver_cert
> check_mode: false
> changed_when: false
>
> # - name: debug display the possibly different certs
> # ansible.builtin.debug:
> # var: "{{ item }}"
> # loop:
> # - ca_sslserver_cert.stdout
> # - kra_sslserver_cert.stdout
>
> - name: Fix ipa-healthcheck, KRADogtagCertsConfigCheck
> ansible.builtin.lineinfile:
> dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> regexp: '^kra.sslserver.cert='
> line: 'kra.sslserver.cert={{ ca_sslserver_cert.stdout }}'
> owner: pkiuser
> group: pkiuser
> mode: '0660'
> backup: true
> when: ca_sslserver_cert.stdout != kra_sslserver_cert.stdout
> notify: Restart pki-tomcat
>
> # "key": "transportCert cert-pki-kra",
> # "directive": "ca.connector.KRA.transportCert",
> # "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
> # "msg": "Certificate 'transportCert cert-pki-kra' does not match the
> value of
> # ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/c
> onf/ca/CS.cfg"
> - name: Fetch Certificate 'transportCert cert-pki-kra'
> ansible.builtin.shell:
> cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'transportCert
> cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }'
> register: transportcert
> check_mode: false
> changed_when: false
>
> - name: Fetch Certificate ca.connector.KRA.transportCert
> ansible.builtin.shell:
> cmd: awk -F '=' '/^ca.connector.KRA.transportCert=/ { print $2 }'
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> register: ca_connector_transportcert
> check_mode: false
> changed_when: false
>
> - name: Fix ipa-healthcheck, ca.connector.KRA.transportCert
> ansible.builtin.lineinfile:
> dest: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> regexp: '^ca.connector.KRA.transportCert='
> line: 'ca.connector.KRA.transportCert={{ transportcert.stdout }}'
> owner: pkiuser
> group: pkiuser
> mode: '0660'
> backup: true
> when: ca_connector_transportcert.stdout != transportcert.stdout
> notify: Restart pki-tomcat
>
> - name: Fetch Certificate kra.transport.cert
> ansible.builtin.shell:
> cmd: awk -F '=' '/^kra.transport.cert=/ { print $2 }'
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> register: kra_transport_cert
> check_mode: false
> changed_when: false
>
> - name: Fix ipa-healthcheck, kra.transport.cert
> ansible.builtin.lineinfile:
> dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> regexp: '^kra.transport.cert='
> line: 'kra.transport.cert={{ transportcert.stdout }}'
> owner: pkiuser
> group: pkiuser
> mode: '0660'
> backup: true
> when: kra_transport_cert.stdout != transportcert.stdout
> notify: Restart pki-tomcat
>
> - name: Fetch Certificate ca.connector.KRA.transportCert
> ansible.builtin.shell:
> cmd: awk -F '=' '/^ca.connector.KRA.transportCert=/ { print $2 }'
> /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> register: ca_connector_transportcert
> check_mode: false
> changed_when: false
>
> - name: Fix ipa-healthcheck, ca.connector.KRA.transportCert
> ansible.builtin.lineinfile:
> dest: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> regexp: '^ca.connector.KRA.transportCert='
> line: 'ca.connector.KRA.transportCert={{ transportcert.stdout }}'
> owner: pkiuser
> group: pkiuser
> mode: '0660'
> backup: true
> when: ca_connector_transportcert.stdout != transportcert.stdout
> notify: Restart pki-tomcat
>
> # "nickname": "subsystemCert cert-pki-ca",
> # "directive": "kra.subsystem.cert",
> # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
> # "msg": "Certificate 'subsystemCert cert-pki-ca' does not match the
> value
> # of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
>
> - name: Fetch Certificate 'subsystemCert cert-pki-ca'
> ansible.builtin.shell:
> cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'subsystemCert
> cert-pki-ca' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }'
> register: subsystemcert
> check_mode: false
> changed_when: false
>
> - name: Fetch Certificate kra.subsystem.cert
> ansible.builtin.shell:
> cmd: awk -F '=' '/^kra.subsystem.cert=/ { print $2 }'
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> register: kra_subsystem_cert
> check_mode: false
> changed_when: false
>
> - name: Fix ipa-healthcheck, kra.subsystem.cert
> ansible.builtin.lineinfile:
> dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> regexp: '^kra.subsystem.cert='
> line: 'kra.subsystem.cert={{ subsystemcert.stdout }}'
> owner: pkiuser
> group: pkiuser
> mode: '0660'
> backup: true
> when: kra_subsystem_cert.stdout != subsystemcert.stdout
> notify: Restart pki-tomcat
>
> # "nickname": "storageCert cert-pki-kra",
> # "directive": "kra.storage.cert",
> # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
> # "msg": "Certificate 'storageCert cert-pki-kra' does not match the value
> # of kra.storage.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
>
> - name: Fetch Certificate 'storageCert cert-pki-kra'
> ansible.builtin.shell:
> cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'storageCert
> cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }'
> register: storagecert
> check_mode: false
> changed_when: false
>
> - name: Fetch Certificate kra.storage.cert
> ansible.builtin.shell:
> cmd: awk -F '=' '/^kra.storage.cert=/ { print $2 }'
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> register: kra_storage_cert
> check_mode: false
> changed_when: false
>
> - name: Fix ipa-healthcheck, kra.storage.cert
> ansible.builtin.lineinfile:
> dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> regexp: '^kra.storage.cert='
> line: 'kra.storage.cert={{ storagecert.stdout }}'
> owner: pkiuser
> group: pkiuser
> mode: '0660'
> backup: true
> when: storagecert.stdout != kra_storage_cert.stdout
> notify: Restart pki-tomcat
>
> # "nickname": "auditSigningCert cert-pki-kra",
> # "directive": "kra.audit_signing.cert",
> # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
> # "msg": "Certificate 'auditSigningCert cert-pki-kra' does not match the
> # value of kra.audit_signing.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
>
> - name: Fetch Certificate 'auditSigningCert cert-pki-kra'
> ansible.builtin.shell:
> cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'auditSigningCert
> cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }'
> register: auditsigningcert
> check_mode: false
> changed_when: false
>
> - name: Fetch Certificate kra.audit_signing.cert
> ansible.builtin.shell:
> cmd: awk -F '=' '/^kra.audit_signing.cert=/ { print $2 }'
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> register: kra_audit_signing_cert
> check_mode: false
> changed_when: false
>
> - name: Fix ipa-healthcheck, kra.audit_signing.cert
> ansible.builtin.lineinfile:
> dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
> regexp: '^kra.audit_signing.cert='
> line: 'kra.audit_signing.cert={{ auditsigningcert.stdout }}'
> owner: pkiuser
> group: pkiuser
> mode: '0660'
> backup: true
> when: kra_audit_signing_cert.stdout != auditsigningcert.stdout
> notify: Restart pki-tomcat
>
>
> handlers:
> # ...
> - name: Restart pki-tomcat
> ansible.builtin.service:
> name: pki-tomcatd@pki-tomcat.service
> state: restarted
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
