Travis West via FreeIPA-users wrote: > Rob, > > I installed the ipa-healthcheck that you got to work on CentOS 7, and run it. > Got a couple of errors regarding the RA Agent cert: > > [ > { > "source": "ipahealthcheck.ipa.certs", > "kw": { > "msg": "Certificate validation for /var/lib/ipa/ra-agent.pem failed: ", > "reason": "", > "key": "/var/lib/ipa/ra-agent.pem" > }, > "uuid": "a855346c-4998-4415-a819-ce83048e174e", > "duration": "0.100214", > "when": "20240404141916Z", > "check": "IPAOpenSSLChainValidation", > "result": "ERROR" > }, > { > "source": "ipahealthcheck.ipa.certs", > "kw": { > "msg": "RA agent not found in LDAP" > }, > "uuid": "b6efdb6c-ca33-4421-bdc5-c449e7d64591", > "duration": "0.027569", > "when": "20240404141916Z", > "check": "IPARAAgent", > "result": "ERROR" > }
It runs: openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt /var/lib/ipa/ra-agent.pem > That first error, I'm not sure about what kind of validation it's performing. > In my asn.1 output earlier I did include the ra-agent.pem and it looks like > it's correctly signed. > As far as the "RA agent not found in LDAP", it looks to me like it is, and it > matches the cert in /var/lib/ipa/ra-agent.pem > > # ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <uid=ipara,ou=people,o=ipaca> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # ipara, people, ipaca > dn: uid=ipara,ou=people,o=ipaca > description: 2;7;CN=Certificate Authority,O=IPA.****.NET;CN=IPA > RA,O=IPA.****.NET > userCertificate:: MIID6j...ssifAg== > uid: ipara > sn: ipara > usertype: agentType > userstate: 1 > objectClass: cmsuser > objectClass: top > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: person > cn: ipara > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > # cat ra-agent.pem > -----BEGIN CERTIFICATE----- > MIID6j...ssifAg== > -----END CERTIFICATE----- Watch the 389-ds access log (buffer) while healthcheck runs. You should see the failed search and the reason may be enlightening (or not). You can also add --debug to the command and may be that will help. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue