Dungan, Scott A. via FreeIPA-users wrote:
> Thank you, Flo. The “ipa-cacert-manage delete …” command, followed by
> “ipa-certupdate” removed the invalid CA entries from the IPA servers
> (verified by looking at /etc/ipa/ca.crt). We also ran ipa-cartupdate on
> all enrolled clients.
>
>
>
> One issue: We have three IPA servers. On two, healthcheck completes
> without error or warnings, but on one server healthcheck reports:
>
>
>
> [
>
> {
>
> "source": "ipahealthcheck.ds.nss_ssl",
>
> "check": "NssCheck",
>
> "result": "ERROR",
>
> "uuid": "2537646d-88d9-4d26-8a38-dd445f1250bd",
>
> "when": "20240917154901Z",
>
> "duration": "0.390482",
>
> "kw": {
>
> "key": "DSCERTLE0001",
>
> "items": [
>
> "Expiring Certificate"
>
> ],
>
> "msg": "The certificate (Server-Cert) will expire in less than 30
> days"
>
> }
>
> }
>
> ]
>
>
>
> ipa-cacert-manage list on that server only shows the single internal CA
> as expected, and /etc/ipa/ca.crt has one entry. Can you advise how to
> find this ghost “Server-Cert” that healthcheck finds on only one server?
This is the certificate used by the LDAP server and is unrelated to CA
certificates.
To see the certificate tracking run: getcert list and look for the
certificate stored in the NSS database in /etc/dirsrv/slapd-REALM.
If it has an issuer of the IPA CA you can force renew it using : getcert
resubmit -i <id of tracking request>
It should should be automatically renewed by certmonger in a few days
(at 28).
rob
>
>
>
>
>
>
>
> *From:*Florence Blanc-Renaud <[email protected]>
> *Sent:* Tuesday, September 17, 2024 12:02 AM
> *To:* FreeIPA users list <[email protected]>
> *Cc:* Dungan, Scott A. <[email protected]>
> *Subject:* Re: [Freeipa-users] Heathcheck error: expiring unused external CA
>
>
>
> Hi,
>
>
>
> On Mon, Sep 16, 2024 at 11:36 PM Dungan, Scott A. via FreeIPA-users
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> Running ipa-server version 4.9.13-12 on RHEL8 we are getting the
> following error/warning with ipa-healthcheck:
>
> [
>
> {
>
> "source": "ipahealthcheck.ds.nss_ssl",
>
> "check": "NssCheck",
>
> "result": "ERROR",
>
> "uuid": "1a2798fd-7fa5-4132-a288-7975f2c32b60",
>
> "when": "20240916211906Z",
>
> "duration": "0.498443",
>
> "kw": {
>
> "key": "DSCERTLE0001",
>
> "items": [
>
> "Expiring Certificate"
>
> ],
>
> "msg": "The certificate (CN=InCommon RSA Server
> CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US) will expire in
> less than 30 days"
>
> }
>
> },
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACAChainExpirationCheck",
>
> "result": "WARNING",
>
> "uuid": "7c1317a8-fbf6-46c4-98a1-15b62f655df8",
>
> "when": "20240916211911Z",
>
> "duration": "0.014042",
>
> "kw": {
>
> "path": "/etc/ipa/ca.crt",
>
> "key": "CN=InCommon RSA Server
> CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US",
>
> "days": 19,
>
> "msg": "CA '{key}' in {path} is expiring in {days} days."
>
> }
>
> }
>
> ]
>
>
>
> This is the external commercial CA that I believe was added at the
> inception of the domain to allow for trusted user connections to the
> web UI for self-service. That was reverted back to using an internal
> certificate for the web UI more than three years ago, so the
> InCommon CA is no longer required.
>
>
>
> The tool "ipa-cacert-manage delete NICKNAME" can help you remove this
> CA. You can start with "ipa-cacert-manage list" which will print out the
> nicknames, identify the nickname used for your CA to remove, then use
> "ipa-cacert-manage delete NICKNAME".
>
> Note: after the removal, ipa-certupdate needs to be run on each machine
> enrolled in the IPA domain in order to update the trusted CA list (for
> instance in /etc/ipa/ca.crt or in the NSS databases).
>
>
>
> flo
>
>
>
>
>
> Running getcert list shows that certmonger is not tracking either
> the CA (which makes sense), nor any certificates issued by the CA.
> ipa cert-find shows 50 certificates all issued by the internal IPA CA.
>
>
>
> I would like to remove all references to the old CA from IPA and
> resolve the healthcheck error. Any help would be appreciated.
>
>
>
>
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> <mailto:[email protected]>
> To unsubscribe send an email to
> [email protected]
> <mailto:[email protected]>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
