LHEUREUX Bernard via FreeIPA-users wrote:
> Hello all,
>
>
>
> Ive got a FreeIPA infra running on AlmaLinux 8.10 and totally
> up-to-date with a trust-AD-domain
>
>
>
> I find some strange errors when I run ipa-healthcheck --failures-only
> those errors refer to an old server that has been removed from the
> FreeIPA infra for a long time and all has been removed from DNS and
> everything, but apparently some old related things remains, but I cannot
> find where
> I cannot find the name of that no longer existing server anywhere on the
> machines running the FreeIPA server and replicas...
>
> How could I fix that ?
>
>
>
> Thanks for your help.
>
>
>
>
>
> # ipa-healthcheck --failures-only
>
> Internal server error
> HTTPSConnectionPool(host='srvmiddl03.domain.intra', port=443): Max
> retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by
> NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object
> at 0x7fa37a4f8dd8>: Failed to establish a new connection: [Errno -2]
> Name or service not known',))
>
> Unable to reach KRA at https://srvmid03.domain.intra:443:
> HTTPSConnectionPool(host='srvmiddl03.domain.intra', port=443): Max
> retries exceeded with url: /kra/admin/kra/getStatus (Caused by
> NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object
> at 0x7fa37a4f8e48>: Failed to establish a new connection: [Errno -2]
> Name or service not known',))
>
> [
>
> {
>
> "source": "pki.server.healthcheck.clones.connectivity_and_data",
>
> "check": "ClonesConnectivyAndDataCheck",
>
> "result": "ERROR",
>
> "uuid": "6f63aaf6-2079-4f60-ac2e-c47f7a9ae03f",
>
> "when": "20241108094743Z",
>
> "duration": "0.063539",
>
> "kw": {
>
> "status": "ERROR: pki-tomcat : Internal error testing CA clone.
> Host: srvmiddl03.domain.intra Port: 443"
>
> }
>
> },
>
> {
>
> "source": "pki.server.healthcheck.clones.connectivity_and_data",
>
> "check": "ClonesConnectivyAndDataCheck",
>
> "result": "ERROR",
>
> "uuid": "1f9569b5-224f-488e-823d-15cfc3fbf782",
>
> "when": "20241108094744Z",
>
> "duration": "0.982430",
>
> "kw": {
>
> "status": "ERROR: pki-tomcat : Unable to reach KRA at
> https://srvmid03.domain.intra:443:
> HTTPSConnectionPool(host='srvmiddl03.domain.intra', port=443): Max
> retries exceeded with url: /kra/admin/kra/getStatus (Caused by
> NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object
> at 0x7fa37a4f8e48>: Failed to establish a new connection: [Errno -2]
> Name or service not known',))"
>
> }
>
> },
Try pki securitydomain-host-find to see if that is where the host
remains. See
https://rcritten.wordpress.com/2023/04/28/dogtag-pki-security-domain-management/
on how to remove it.
> {
>
> "source": "pki.server.healthcheck.meta.csconfig",
>
> "check": "KRADogtagCertsConfigCheck",
>
> "result": "ERROR",
>
> "uuid": "c4419f0e-0598-4f93-a92e-dc74b9418d88",
>
> "when": "20241108095410Z",
>
> "duration": "0.035134",
>
> "kw": {
>
> "key": "kra_sslserver",
>
> "nickname": "Server-Cert cert-pki-ca",
>
> "directive": "kra.sslserver.cert",
>
> "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
>
> "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the
> value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
>
> }
>
> },
>
> {
>
> "source": "pki.server.healthcheck.meta.csconfig",
>
> "check": "KRADogtagCertsConfigCheck",
>
> "result": "ERROR",
>
> "uuid": "240a2325-0c76-4638-98a2-064ae5a5b002",
>
> "when": "20241108095410Z",
>
> "duration": "0.067181",
>
> "kw": {
>
> "key": "kra_subsystem",
>
> "nickname": "subsystemCert cert-pki-ca",
>
> "directive": "kra.subsystem.cert",
>
> "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
>
> "msg": "Certificate 'subsystemCert cert-pki-ca' does not match the
> value of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
>
> }
>
> },
>
> {
>
> "source": "pki.server.healthcheck.meta.csconfig",
>
> "check": "KRADogtagCertsConfigCheck",
>
> "result": "ERROR",
>
> "uuid": "2b2239b4-543d-4826-b13b-d0ec736f959d",
>
> "when": "20241108095410Z",
>
> "duration": "0.099616",
>
> "kw": {
>
> "key": "kra_transport",
>
> "nickname": "transportCert cert-pki-kra",
>
> "directive": "kra.transport.cert",
>
> "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
>
> "msg": "Certificate 'transportCert cert-pki-kra' does not match
> the value of kra.transport.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
>
> }
>
> },
>
> {
>
> "source": "pki.server.healthcheck.meta.csconfig",
>
> "check": "KRADogtagCertsConfigCheck",
>
> "result": "ERROR",
>
> "uuid": "9dd366cc-d421-4e50-86f4-62c58b512ec8",
>
> "when": "20241108095410Z",
>
> "duration": "0.132474",
>
> "kw": {
>
> "key": "kra_storage",
>
> "nickname": "storageCert cert-pki-kra",
>
> "directive": "kra.storage.cert",
>
> "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
>
> "msg": "Certificate 'storageCert cert-pki-kra' does not match the
> value of kra.storage.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
>
> }
>
> },
>
> {
>
> "source": "pki.server.healthcheck.meta.csconfig",
>
> "check": "KRADogtagCertsConfigCheck",
>
> "result": "ERROR",
>
> "uuid": "273a6f31-b66f-43c4-90ac-7069db9d8fe4",
>
> "when": "20241108095410Z",
>
> "duration": "0.165108",
>
> "kw": {
>
> "key": "kra_audit_signing",
>
> "nickname": "auditSigningCert cert-pki-kra",
>
> "directive": "kra.audit_signing.cert",
>
> "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
>
> "msg": "Certificate 'auditSigningCert cert-pki-kra' does not match
> the value of kra.audit_signing.cert in
> /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
>
> }
>
> },
There are all for the local host noting that the KRA certificates have
been renewed and don't match the values stored in its configuration
files. You'd want to use certutil -L -d /var/lib/pki/pki-tomcat/alias -n
<nickname> -a to pull the cert, or certs, that are present. Find the
latest one then add that to the configuration file to replace the
existing one.
Backup CS.cfg before doing anything.
I'd do this with the KRA not running.
>
> {
>
> "source": "ipahealthcheck.dogtag.ca",
>
> "check": "DogtagCertsConfigCheck",
>
> "result": "ERROR",
>
> "uuid": "24a3b4a5-25fc-41d4-9d98-b1e2ff4020bc",
>
> "when": "20241108095411Z",
>
> "duration": "0.456625",
>
> "kw": {
>
> "key": "transportCert cert-pki-kra",
>
> "directive": "ca.connector.KRA.transportCert",
>
> "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
>
> "msg": "Certificate 'transportCert cert-pki-kra' does not match
> the value of ca.connector.KRA.transportCert in
> /var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
>
> }
>
> }
Pretty much same as above, just for the CA instead of the KRA.
rob
>
> ]
>
>
>
>
>
>
>
> *Bernard LHEUREUX *
> Linux & System Engineer
> Mob. +32 475 530 311 <tel:+32475530311>
> *win.be*** <https://www.win.be/>
>
>
>
> facebook <http://www.youtube.com/channel/UC-rXMcRf_tMl5K4EBHKWpGg>
> linkedin <https://www.linkedin.com/company/win-s-a-/> twitter
> <https://twitter.com/win_ICTpartner>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
> 1/Conformément à notre certification ISO 27001, ce message et toute
> pièce jointe sont la propriété exclusive de Win. Linformation contenue
> dans cet e- mail peut savérer confidentielle et dès lors protégée de
> toute divulgation. Si vous avez reçu cette communication par erreur,
> veuillez nous en informer immédiatement en répondant à ce message et en
> le supprimant de votre ordinateur, sans le copier ni le divulguer.
> 2/Lacceptation de toute offre commerciale (quel quen soit le support)
> emporte ladhésion aux descriptifs (notamment techniques) inhérents aux
> solutions offertes, ainsi quaux conditions commerciales générales de
> Win, consultables via https://www.win.be/cgv
> DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
