I have taken over an existing deployment of FreeIPA that has not been updated
in some time. I would like to update it, but am getting a recurring error and
do not know how to fix it. Currently it is FreeIPA v4.9.6, running on Fedora
34, running in VMs on VMWare. The current deployment is two replicas that both
act as write nodes and CA hosts (hostnames freeipa1 and freeipa2). There were
previously two additional nodes that were shut down (hostnames freeipa and
freeipa3 -- according to what I can figure out, they failed without being
removed gracefully, so there are some traces of them left in the system).
ipa-healthcheck returns a number of errors. The following appear to be the most
relevant to my eye. The "unknown ca" error message is repeated in most of them.
I can provide the whole response if needed:
```
Internal server error HTTPSConnectionPool(host='freeipa.local.domain',
port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused
by NewConnectionError('<urllib3.connection.HTTPSConnection object at
0x7f6a5da14190>: Failed to establish a new connection: [Errno 113] No route to
host'))
[
...
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "6945db10-a79b-4d17-84e3-1e4a91bdfbeb",
"when": "20240822190635Z",
"duration": "0.229479",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value
of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
},
...
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "9fbbcb00-4d48-4dad-95b2-8d0738f1d540",
"when": "20240822190637Z",
"duration": "0.016692",
"kw": {
"key": "cert_show_1",
"msg": "Request for certificate failed, cannot connect to
'https://freeipa1.local.domain:443/ca/rest/certs/1': [SSL:
TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:2633)"
}
},
...
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "d873830f-3e7f-4c12-b61a-567dca63bc0e",
"when": "20240822190645Z",
"duration": "0.040974",
"kw": {
"key": "ca_count_a_rec",
"msg": "Got {count} ipa-ca A records, expected {expected}",
"count": 3,
"expected": 2
}
}
]
```
Currently this prevents me from viewing any certificates in the UI, and also
prevents doing most operations involved with either updating the existing nodes
or adding a new one. If I try to promote a new replica, I get this error.
Likewise if I upgrade the OS on one of the existing nodes and try `ipactl
restart`. I have tried replacing the CA cert and got a success message, but no
change in behavior, and ipa-cert-fix finds nothing to do:
```
[root@freeipa1 ~]# ipa-cacert-manage -t C,, install
/home/tmorris/incommonCA-2024.ca
Installing CA certificate, please wait
Verified CN=InCommon RSA Server CA 2,O=Internet2,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@freeipa1 ~]# ipa-cert-fix
Nothing to do.
The ipa-cert-fix command was successful
```
I don't actually think the CA is used in the deployment. We use certs from our
CA everywhere, rather than from FreeIPA, so I believe if I turned this into a
CA-less deployment it would be fine, but I haven't found clear documentation on
how to do that. I'm ok with either removing the CA (and I have snapshots in
case I need to revert), or with fixing the CA, but as it stands I can't do
software update or add nodes to the cluster.
What additional information can I provide? Thanks in advance,
Toma
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
