[Freeipa-users] Re: ipa healthcheck issue

[Patterson, David via FreeIPA-users]

Hello,

How or what does it use to compare with?

I see a cert in the nssdb with the correct nickname.

certutil -L -d /etc/pki/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

host/idm2.x.y                                           u,u,u

I also see the other side of the same coin....
getcert list -c IPA | grep -A15 20191122115414
Request ID '20191122115414':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/nssdb',nickname='host/idm2.x.y',token='NSS 
Certificate DB'
        certificate: 
type=NSSDB,location='/etc/pki/nssdb',nickname='host/idm2.x.y',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=X.Y
        subject: CN=idm2.x.y,O=X.Y
        expires: 2021-11-22 11:54:15 UTC
        principal name: host/idm2.x.y@X.Y
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Not sure that I want to delete either.

Thanks!

David Patterson

-----Original Message-----
From: Rob Crittenden <rcrit...@redhat.com> 
Sent: Monday, January 11, 2021 11:07 AM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Patterson, David <dpa...@sandia.gov>
Subject: [EXTERNAL] Re: [Freeipa-users] ipa healthcheck issue

Patterson, David via FreeIPA-users wrote:
> Hello,
> 
> Â
> 
> Running RHEL 7.9, ipa 4.6.8-5 and freeipa-healthcheck 0.3-2 backported 
> for RHEL 7.
> 
> Â
> 
> Ipa healthcheck output
> 
> [
> 
>   {
> 
>     "source": "ipahealthcheck.ipa.certs",
> 
>     "kw": {
> 
>       "msg": "Unable to retrieve cert 'host/idm2.X.Y' from
> '/etc/pki/nssdb': Failed to get host/idm2.X.Y",
> 
>       "nickname": "host/idm2.X.Y",
> 
>       "dbdir": "/etc/pki/nssdb",
> 
>       "key": "20191122115414",
> 
>       "error": "Failed to get host/idm2.X.Y"
> 
>     },
> 
>     "uuid": "64d9b118-e588-4dbb-99e1-6ef11e495ed5",
> 
>     "duration": "0.382404",
> 
>     "when": "20210107005140Z",
> 
>     "check": "IPACertfileExpirationCheck",
> 
>     "result": "ERROR"
> 
>   },
> 
>   {
> 
>     "source": "ipahealthcheck.ipa.certs",
> 
>     "kw": {
> 
>       "msg": "Unknown certmonger id 20191122115414",
> 
>       "key": "20191122115414"
> 
>     },
> 
>     "uuid": "1b4bba70-08e0-43dc-8984-657cc47fd339",
> 
>     "duration": "1.109733",
> 
>     "when": "20210107005142Z",
> 
>     "check": "IPACertTracking",
> 
>     "result": "WARNING"
> 
>   }
> 
> ]
> 
> Â
> 
> How do I correct these issues?

They are two sides of the same coin. You have an unknown certificate request 
being tracked by certmonger.

In this case the nickname host/idm2.X.Y in /etc/pki/nssdb.

Looks like there isn't a nickname with this value in that NSS database which 
explains the first error.

I suspect that someone did some manual tracking changes and got this one wrong. 
It isn't something that IPA would have configured.

Is it safe to delete this tracking request? Probably. But I'd double and triple 
check before doing so. Its unclear what the original purpose of creating it was.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org