Rob, actually, I started digging and I see that first account creation time is in April 2015. However, CA certificate creation time is in July 2017. So maybe in 2017 I had run 'ipa-cacert-manage renew’ command ¯\_(ツ)_/¯
Ivars > On 7 Jul 2022, at 17:36, Ivars Strazdins <[email protected]> wrote: > > Hello Rob, > thanks for answering! Please see my answers below. > >> On 7 Jul 2022, at 17:13, Rob Crittenden <[email protected] >> <mailto:[email protected]>> wrote: >> >> Ivars Strazdins via FreeIPA-users wrote: >>> Hi guys, >>> after upgrading FreeIPA from 4.6.8 to 4.9.8 I was able to run >>> ipa-healthcheck for the first time. >>> Now I am facing two errors: >>> >>> # ipa-healthcheck >>> Unhandler rdtype 256 >>> Unhandler rdtype 256 >>> Unhandler rdtype 256 >>> Unhandler rdtype 256 >>> Unhandler rdtype 256 >>> Unhandler rdtype 256 >>> Unhandler rdtype 256 >>> Unhandler rdtype 256 >>> >>> [ >>> { >>> "source": "pki.server.healthcheck.meta.csconfig", >>> "check": "CADogtagCertsConfigCheck", >>> * "result": "ERROR",* >>> "uuid": "92710f34-de94-4226-a81c-3e1d116c6410", >>> "when": "20220707130401Z", >>> "duration": "0.324141", >>> "kw": { >>> "key": "ca_signing", >>> "nickname": "caSigningCert cert-pki-ca", >>> "directive": "ca.signing.cert", >>> "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", >>> "msg": "Certificate 'caSigningCert cert-pki-ca' does not match >>> the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" >>> } >>> }, >> >> This compares the value of the certificate in the NSS database to the >> value in CS.cfg. They should match. >> >>> { >>> "source": "ipahealthcheck.ipa.certs", >>> "check": "IPADogtagCertsMatchCheck", >>> * "result": "ERROR",* >>> "uuid": "b26ad134-e798-4e21-961a-bc17899ac267", >>> "when": "20220707130408Z", >>> "duration": "0.162734", >>> "kw": { >>> "key": "caSigningCert cert-pki-ca", >>> "nickname": "caSigningCert cert-pki-ca", >>> "dbdir": "/etc/pki/pki-tomcat/alias", >>> "msg": "{nickname} certificate in NSS DB {dbdir} does not >>> match entry in LDAP" >>> } >>> } >> >> >> I find it unusual that the CA certificate is different in two different >> places, both CS.cfg and LDAP. It could be a formatting difference >> between the two. >> >> It's also strange that the IPA CA is included twice in the pki database. >> The caSigningCert cert-pki-ca and EXAMPLE.COM <http://example.com/> IPA CA >> should be the same >> certificate. Can you confirm that they are? > > Yes I get exactly the same output when I run commands > certutil -L -d /etc/pki/pki-tomcat/alias -a -n ‘DOMAIN.COM > <http://domain.com/> IPA CA’ > > and > certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca’ > >> >> Did you happen to run ipa-cacert-manage renew some time in the past? > > Not that I remember doing that recently, but this particular FreeIPA instance > is runnig for 5 years (CA being generated in July 2017) and I may not > remember everything. > Then again, I can’t remember any particular reason to run ipa-cacert-manage. > > With kind regards, > Ivars > >> >> rob >> >> >>> ] >>> >>> >>> certutil output is: >>> >>> # certutil -L -d /etc/pki/pki-tomcat/alias/ >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> CN=ISRG Root X1,O=Internet Security Research Group,C=US C,, >>> CN=ISRG Root X2,O=Internet Security Research Group,C=US C,, >>> CN=R3,O=Let's Encrypt,C=US C,, >>> CN=E1,O=Let's Encrypt,C=US C,, >>> CN=R4,O=Let's Encrypt,C=US C,, >>> CN=E2,O=Let's Encrypt,C=US C,, >>> caSigningCert cert-pki-ca CTu,Cu,Cu >>> ocspSigningCert cert-pki-ca u,u,u >>> auditSigningCert cert-pki-ca u,u,Pu >>> subsystemCert cert-pki-ca u,u,u >>> EXAMPLE.COM <http://example.com/> <http://EXAMPLE.COM >>> <http://example.com/>> IPA CA >>> CTu,Cu,Cu >>> Server-Cert cert-pki-ca u,u,u >>> >>> >>> How do I fix these errors? >>> To explain above Letsencrypt certificates - our IPA servers Directory >>> server and Apache server use Letsencrypt certificates that have been >>> added to FreeIPA with command “ipa-server-certinstall -w -d ..."
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
