Ivars Strazdins wrote: > Rob, > actually, I started digging and I see that first account creation time > is in April 2015. > However, CA certificate creation time is in July 2017. > So maybe in 2017 I had run 'ipa-cacert-manage renew’ command ¯\_(ツ)_/¯
It isn't anything to worry about, just a head scratcher. NSS allows multiple nicknames to point to the same certificate so it shouldn't be an issue. rob > > Ivars > >> On 7 Jul 2022, at 17:36, Ivars Strazdins <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hello Rob, >> thanks for answering! Please see my answers below. >> >>> On 7 Jul 2022, at 17:13, Rob Crittenden <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Ivars Strazdins via FreeIPA-users wrote: >>>> Hi guys, >>>> after upgrading FreeIPA from 4.6.8 to 4.9.8 I was able to run >>>> ipa-healthcheck for the first time. >>>> Now I am facing two errors: >>>> >>>> # ipa-healthcheck >>>> Unhandler rdtype 256 >>>> Unhandler rdtype 256 >>>> Unhandler rdtype 256 >>>> Unhandler rdtype 256 >>>> Unhandler rdtype 256 >>>> Unhandler rdtype 256 >>>> Unhandler rdtype 256 >>>> Unhandler rdtype 256 >>>> >>>> [ >>>> { >>>> "source": "pki.server.healthcheck.meta.csconfig", >>>> "check": "CADogtagCertsConfigCheck", >>>> * "result": "ERROR",* >>>> "uuid": "92710f34-de94-4226-a81c-3e1d116c6410", >>>> "when": "20220707130401Z", >>>> "duration": "0.324141", >>>> "kw": { >>>> "key": "ca_signing", >>>> "nickname": "caSigningCert cert-pki-ca", >>>> "directive": "ca.signing.cert", >>>> "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", >>>> "msg": "Certificate 'caSigningCert cert-pki-ca' does not match >>>> the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" >>>> } >>>> }, >>> >>> This compares the value of the certificate in the NSS database to the >>> value in CS.cfg. They should match. >>> >>>> { >>>> "source": "ipahealthcheck.ipa.certs", >>>> "check": "IPADogtagCertsMatchCheck", >>>> * "result": "ERROR",* >>>> "uuid": "b26ad134-e798-4e21-961a-bc17899ac267", >>>> "when": "20220707130408Z", >>>> "duration": "0.162734", >>>> "kw": { >>>> "key": "caSigningCert cert-pki-ca", >>>> "nickname": "caSigningCert cert-pki-ca", >>>> "dbdir": "/etc/pki/pki-tomcat/alias", >>>> "msg": "{nickname} certificate in NSS DB {dbdir} does not >>>> match entry in LDAP" >>>> } >>>> } >>> >>> >>> I find it unusual that the CA certificate is different in two different >>> places, both CS.cfg and LDAP. It could be a formatting difference >>> between the two. >>> >>> It's also strange that the IPA CA is included twice in the pki database. >>> The caSigningCert cert-pki-ca and EXAMPLE.COM >>> <http://example.com/> IPA CA should be the same >>> certificate. Can you confirm that they are? >> >> Yes I get exactly the same output when I run commands >> certutil -L -d /etc/pki/pki-tomcat/alias -a -n ‘DOMAIN.COM >> <http://domain.com/> IPA CA’ >> >> and >> certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca’ >> >>> >>> Did you happen to run ipa-cacert-manage renew some time in the past? >> >> Not that I remember doing that recently, but this particular FreeIPA >> instance is runnig for 5 years (CA being generated in July 2017) and I >> may not remember everything. >> Then again, I can’t remember any particular reason to >> run ipa-cacert-manage. >> >> With kind regards, >> Ivars >> >>> >>> rob >>> >>> >>>> ] >>>> >>>> >>>> certutil output is: >>>> >>>> # certutil -L -d /etc/pki/pki-tomcat/alias/ >>>> >>>> Certificate Nickname Trust >>>> Attributes >>>> >>>> SSL,S/MIME,JAR/XPI >>>> >>>> CN=ISRG Root X1,O=Internet Security Research Group,C=US C,, >>>> CN=ISRG Root X2,O=Internet Security Research Group,C=US C,, >>>> CN=R3,O=Let's Encrypt,C=US C,, >>>> CN=E1,O=Let's Encrypt,C=US C,, >>>> CN=R4,O=Let's Encrypt,C=US C,, >>>> CN=E2,O=Let's Encrypt,C=US C,, >>>> caSigningCert cert-pki-ca CTu,Cu,Cu >>>> ocspSigningCert cert-pki-ca u,u,u >>>> auditSigningCert cert-pki-ca u,u,Pu >>>> subsystemCert cert-pki-ca u,u,u >>>> EXAMPLE.COM <http://example.com/> <http://EXAMPLE.COM >>>> <http://example.com/>> IPA CA >>>> CTu,Cu,Cu >>>> Server-Cert cert-pki-ca u,u,u >>>> >>>> >>>> How do I fix these errors? >>>> To explain above Letsencrypt certificates - our IPA servers Directory >>>> server and Apache server use Letsencrypt certificates that have been >>>> added to FreeIPA with command “ipa-server-certinstall -w -d ..." > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
