It's weird that none of the CA's know about this cert. Please provide
the tracking on the server with the healthcheck error using:
# getcert list -i 20250613075922
That output will determine the next steps.
rob
LHEUREUX Bernard wrote:
> On all four replicas we get:
> # ipa cert-show 15707821147
> ipa: ERROR: Request failed with status 404: Non-2xx response from CA REST
> API: 404. Certificate ID 0x3a842545b not found (404)
>
>
> -----Original Message-----
> From: Rob Crittenden <rcrit...@redhat.com>
> Sent: lundi 23 juin 2025 16:12
> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> Cc: LHEUREUX Bernard <bernard.lheur...@staff.win.be>
> Subject: Re: [Freeipa-users] IPACertRevocation Error reported by
> ipa-healthcheck
>
> LHEUREUX Bernard via FreeIPA-users wrote:
>> Hello to all of you,
>>
>>
>>
>> We have an infrastructure of 4 FreeIPA servers (replicas) and one of
>> them reports this error message in ipa-healthcheck:
>>
>> ra.get_certificate(): Request failed with status 404: Non-2xx response
>> from CA REST API: 404. Certificate ID 0x3a842545b not found (404)
>>
>> [
>>
>> {
>>
>> "source": "ipahealthcheck.ipa.certs",
>>
>> "check": "IPACertRevocation",
>>
>> "result": "ERROR",
>>
>> "uuid": "a0c94d44-8e26-444d-87d0-ba985250e6d4",
>>
>> "when": "20250623104349Z",
>>
>> "duration": "2.257779",
>>
>> "kw": {
>>
>> "key": "20250613075922",
>>
>> "serial": 15707821147,
>>
>> "error": "Request failed with status 404: Non-2xx response from
>> CA REST API: 404. Certificate ID 0x3a842545b not found (404)",
>>
>> "msg": "Request for certificate serial number {serial} in
>> request {key} failed: {error}"
>>
>> }
>>
>> }
>>
>> ]
>>
>>
>>
>> No problem apparently on this infrastructure, and this message is only
>> reported on one of the 4 replicas…
>>
>> How could I repair or clear this message ?
>
> It tried to check the revocation status of a cert with serial number
> 15707821147 and the CA returned a 404, certificate not found.
>
> It could point to replication issues of the CA LDAP backend.
>
> On each CA server I'd verify that they all know about the cert by
> running: ipa cert-show 15707821147
>
> We know that at least one will fail.
>
> rob
>
>
>
> ________________________________
> 1/Conformément à notre certification ISO 27001, ce message et toute pièce
> jointe sont la propriété exclusive de Win. L’information contenue dans cet e-
> mail peut s’avérer confidentielle et dès lors protégée de toute divulgation.
> Si vous avez reçu cette communication par erreur, veuillez nous en informer
> immédiatement en répondant à ce message et en le supprimant de votre
> ordinateur, sans le copier ni le divulguer.
> 2/L’acceptation de toute offre commerciale (quel qu’en soit le support)
> emporte l’adhésion aux descriptifs (notamment techniques) inhérents aux
> solutions offertes, ainsi qu’aux conditions commerciales générales de Win,
> consultables via https://www.win.be/cgv
> DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm
>
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
