Running ipa-server version 4.9.13-12 on RHEL8 we are getting the following
error/warning with ipa-healthcheck:
[
{
"source": "ipahealthcheck.ds.nss_ssl",
"check": "NssCheck",
"result": "ERROR",
"uuid": "1a2798fd-7fa5-4132-a288-7975f2c32b60",
"when": "20240916211906Z",
"duration": "0.498443",
"kw": {
"key": "DSCERTLE0001",
"items": [
"Expiring Certificate"
],
"msg": "The certificate (CN=InCommon RSA Server
CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US) will expire in less than 30
days"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACAChainExpirationCheck",
"result": "WARNING",
"uuid": "7c1317a8-fbf6-46c4-98a1-15b62f655df8",
"when": "20240916211911Z",
"duration": "0.014042",
"kw": {
"path": "/etc/ipa/ca.crt",
"key": "CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann
Arbor,ST=MI,C=US",
"days": 19,
"msg": "CA '{key}' in {path} is expiring in {days} days."
}
}
]
This is the external commercial CA that I believe was added at the inception of
the domain to allow for trusted user connections to the web UI for
self-service. That was reverted back to using an internal certificate for the
web UI more than three years ago, so the InCommon CA is no longer required.
Running getcert list shows that certmonger is not tracking either the CA (which
makes sense), nor any certificates issued by the CA. ipa cert-find shows 50
certificates all issued by the internal IPA CA.
I would like to remove all references to the old CA from IPA and resolve the
healthcheck error. Any help would be appreciated.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
