[Freeipa-users] Re: CA Subsystem certificate

Thu, 04 Apr 2024 07:28:15 -0700 

Rob,

I installed the ipa-healthcheck that you got to work on CentOS 7, and run it.  
Got a couple of errors regarding the RA Agent cert:

[
  {
    "source": "ipahealthcheck.ipa.certs",
    "kw": {
      "msg": "Certificate validation for /var/lib/ipa/ra-agent.pem failed: ",
      "reason": "",
      "key": "/var/lib/ipa/ra-agent.pem"
    },
    "uuid": "a855346c-4998-4415-a819-ce83048e174e",
    "duration": "0.100214",
    "when": "20240404141916Z",
    "check": "IPAOpenSSLChainValidation",
    "result": "ERROR"
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "kw": {
      "msg": "RA agent not found in LDAP"
    },
    "uuid": "b6efdb6c-ca33-4421-bdc5-c449e7d64591",
    "duration": "0.027569",
    "when": "20240404141916Z",
    "check": "IPARAAgent",
    "result": "ERROR"
  }

That first error, I'm not sure about what kind of validation it's performing.  
In my asn.1 output earlier I did include the ra-agent.pem and it looks like 
it's correctly signed.
As far as the "RA agent not found in LDAP", it looks to me like it is, and it 
matches the cert in /var/lib/ipa/ra-agent.pem

# ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=ipara,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=IPA.****.NET;CN=IPA 
RA,O=IPA.****.NET
userCertificate:: MIID6j...ssifAg==
uid: ipara
sn: ipara
usertype: agentType
userstate: 1
objectClass: cmsuser
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
cn: ipara

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

# cat ra-agent.pem
-----BEGIN CERTIFICATE-----
MIID6j...ssifAg==
-----END CERTIFICATE-----
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to