Thanks, Rob, ipa-cacert-manage list succeeds, with ~13 lines of output that look like they're probably enumeration of certs. pki client init && pki ca cert find succeeds and returns ~20 results, with the following warning:
WARNING: UNTRUSTED ISSUER encountered on 'CN=freeipa1.local.domain,O=LOCAL.DOMAIN' indicates a non-trusted CA cert 'CN=Certificate Authority,O=LOCAL.DOMAIN' -Toma On Mon, Aug 26, 2024 at 11:14 AM Rob Crittenden <[email protected]> wrote: > Toma Morris via FreeIPA-users wrote: > > I have taken over an existing deployment of FreeIPA that has not been > updated in some time. I would like to update it, but am getting a recurring > error and do not know how to fix it. Currently it is FreeIPA v4.9.6, > running on Fedora 34, running in VMs on VMWare. The current deployment is > two replicas that both act as write nodes and CA hosts (hostnames freeipa1 > and freeipa2). There were previously two additional nodes that were shut > down (hostnames freeipa and freeipa3 -- according to what I can figure out, > they failed without being removed gracefully, so there are some traces of > them left in the system). > > > > ipa-healthcheck returns a number of errors. The following appear to be > the most relevant to my eye. The "unknown ca" error message is repeated in > most of them. I can provide the whole response if needed: > > > > ``` > > Internal server error HTTPSConnectionPool(host='freeipa.local.domain', > port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 > (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object > at 0x7f6a5da14190>: Failed to establish a new connection: [Errno 113] No > route to host')) > > [ > > ... > > { > > "source": "pki.server.healthcheck.meta.csconfig", > > "check": "CADogtagCertsConfigCheck", > > "result": "ERROR", > > "uuid": "6945db10-a79b-4d17-84e3-1e4a91bdfbeb", > > "when": "20240822190635Z", > > "duration": "0.229479", > > "kw": { > > "key": "ca_signing", > > "nickname": "caSigningCert cert-pki-ca", > > "directive": "ca.signing.cert", > > "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", > > "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the > value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" > > } > > }, > > ... > > { > > "source": "ipahealthcheck.dogtag.ca", > > "check": "DogtagCertsConnectivityCheck", > > "result": "ERROR", > > "uuid": "9fbbcb00-4d48-4dad-95b2-8d0738f1d540", > > "when": "20240822190637Z", > > "duration": "0.016692", > > "kw": { > > "key": "cert_show_1", > > "msg": "Request for certificate failed, cannot connect to ' > https://freeipa1.local.domain:443/ca/rest/certs/1': [SSL: > TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:2633)" > > } > > }, > > ... > > { > > "source": "ipahealthcheck.ipa.idns", > > "check": "IPADNSSystemRecordsCheck", > > "result": "WARNING", > > "uuid": "d873830f-3e7f-4c12-b61a-567dca63bc0e", > > "when": "20240822190645Z", > > "duration": "0.040974", > > "kw": { > > "key": "ca_count_a_rec", > > "msg": "Got {count} ipa-ca A records, expected {expected}", > > "count": 3, > > "expected": 2 > > } > > } > > ] > > ``` > > > > Currently this prevents me from viewing any certificates in the UI, and > also prevents doing most operations involved with either updating the > existing nodes or adding a new one. If I try to promote a new replica, I > get this error. Likewise if I upgrade the OS on one of the existing nodes > and try `ipactl restart`. I have tried replacing the CA cert and got a > success message, but no change in behavior, and ipa-cert-fix finds nothing > to do: > > > > ``` > > [root@freeipa1 ~]# ipa-cacert-manage -t C,, install > /home/tmorris/incommonCA-2024.ca > > Installing CA certificate, please wait > > Verified CN=InCommon RSA Server CA 2,O=Internet2,C=US > > CA certificate successfully installed > > The ipa-cacert-manage command was successful > > [root@freeipa1 ~]# ipa-cert-fix > > Nothing to do. > > The ipa-cert-fix command was successful > > ``` > > > > I don't actually think the CA is used in the deployment. We use certs > from our CA everywhere, rather than from FreeIPA, so I believe if I turned > this into a CA-less deployment it would be fine, but I haven't found clear > documentation on how to do that. I'm ok with either removing the CA (and I > have snapshots in case I need to revert), or with fixing the CA, but as it > stands I can't do software update or add nodes to the cluster. > > > > What additional information can I provide? Thanks in advance, > > AFAIK there is no supported way to go from a cafull installation to a > caless installation (there is the other way around). > > Is the IPA CA available? I forget if `ipa-cacert-manage list` is > available in 4.9.6. If it is then you can check that way. > > You can also see if the CA is working at all using commands provided by > the CA itself. Perhaps something like: > > pki client init > pki ca cert find > > The results don't matter much as long as it isn't an error. If you get a > list of certs then your CA can at least read its database. This is > basically what the cert-find healthcheck does but it tacks on > authentication as well. > > rob > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
