Hi,
On Mon, Sep 16, 2024 at 11:36 PM Dungan, Scott A. via FreeIPA-users <
[email protected]> wrote:
> Running ipa-server version 4.9.13-12 on RHEL8 we are getting the following
> error/warning with ipa-healthcheck:
>
> [
>
> {
>
> "source": "ipahealthcheck.ds.nss_ssl",
>
> "check": "NssCheck",
>
> "result": "ERROR",
>
> "uuid": "1a2798fd-7fa5-4132-a288-7975f2c32b60",
>
> "when": "20240916211906Z",
>
> "duration": "0.498443",
>
> "kw": {
>
> "key": "DSCERTLE0001",
>
> "items": [
>
> "Expiring Certificate"
>
> ],
>
> "msg": "The certificate (CN=InCommon RSA Server
> CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US) will expire in less than
> 30 days"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACAChainExpirationCheck",
>
> "result": "WARNING",
>
> "uuid": "7c1317a8-fbf6-46c4-98a1-15b62f655df8",
>
> "when": "20240916211911Z",
>
> "duration": "0.014042",
>
> "kw": {
>
> "path": "/etc/ipa/ca.crt",
>
> "key": "CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann
> Arbor,ST=MI,C=US",
>
> "days": 19,
>
> "msg": "CA '{key}' in {path} is expiring in {days} days."
>
> }
>
> }
>
> ]
>
>
>
> This is the external commercial CA that I believe was added at the
> inception of the domain to allow for trusted user connections to the web UI
> for self-service. That was reverted back to using an internal certificate
> for the web UI more than three years ago, so the InCommon CA is no longer
> required.
>
The tool "ipa-cacert-manage delete NICKNAME" can help you remove this CA.
You can start with "ipa-cacert-manage list" which will print out the
nicknames, identify the nickname used for your CA to remove, then use
"ipa-cacert-manage delete NICKNAME".
Note: after the removal, ipa-certupdate needs to be run on each machine
enrolled in the IPA domain in order to update the trusted CA list (for
instance in /etc/ipa/ca.crt or in the NSS databases).
flo
>
> Running getcert list shows that certmonger is not tracking either the CA
> (which makes sense), nor any certificates issued by the CA. ipa cert-find
> shows 50 certificates all issued by the internal IPA CA.
>
>
>
> I would like to remove all references to the old CA from IPA and resolve
> the healthcheck error. Any help would be appreciated.
>
>
>
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
