[Freeipa-users] Re: IPA API can't talk to PKI

[Sam Morris via FreeIPA-users]

On 27/04/2022 15:52, Rob Crittenden wrote:
Sam Morris via FreeIPA-users wrote:
On 27/04/2022 14:09, Sam Morris wrote:
Hi folks. PKI-related commands have started to fail on my setup:

Oh, it turns out this is
<https://bugzilla.redhat.com/show_bug.cgi?id=2006070> again, but this
time manifesting slightly differently: secret="oldsecret" was replaced
by "requiredSecret="newsecret" in </etc/pki/pki-tomcat/server.xml>.

It depends on the version of tomcat you have installed.

Indeed, I'm still a bit confused--I ended up with only the 
requiredSecret= attribute, and not both secret= and requiredSecret= as 
in Bugzilla, but it doesn't really matter. I've just taken the new 
secret value and updated </etc/httpd/conf.d/ipa-pki-proxy.conf> to match.

1. Are the expired certs in CS.cfg causing the problem?

No. According to <https://github.com/dogtagpki/pki/issues/2157> dogtag
doesn't even use them, is that right? In which case should
ipa-healthcheck stop warning about them?

I don't believe they have dropped using the CS.cfg values. The issue is
incorrect as IPA does update these values, because it has to in order
for the CA to work.

You're right, reading that issue again I guess the intention is to move 
away from storing the certificates in CS.cfg.

2. Which bit of FreeIPA updates the certificate copies in CS.cfg?

I'm now pretty sure FreeIPA doesn't update CS.cfg except for the CA
certificate. And on my CA renewal master, that wouldn't happen because
subsystem.select is set to Clone. Should I change that?

It shouldn't be necessary. IPA doesn't examine this value.

It's checked at 
<https://github.com/freeipa/freeipa/blob/9d88a2fde795f5189cf3f101678bad2384bf1ef7/install/restart_scripts/renew_ca_cert.in#L112>

And IPA does update CS.cfg for all tracked CA subsystem certificates.

I'd like to figure out why it hasn't happened on my servers... The 
post-save command (renew_ca_cert) only updates the CA CS.cfg when the CA 
certificate is renewed; I can't see where the other subsystem 
certificates get written to either CS.cfg file...

--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure