Hi Rob, then both errors reported by ipa-healthcheck are nothing to be worried about in our setup? With kind regards, Ivars
> On 7 Jul 2022, at 20:23, Rob Crittenden <[email protected]> wrote: > > Ivars Strazdins wrote: >> Rob, >> actually, I started digging and I see that first account creation time >> is in April 2015. >> However, CA certificate creation time is in July 2017. >> So maybe in 2017 I had run 'ipa-cacert-manage renew’ command ¯\_(ツ)_/¯ > > It isn't anything to worry about, just a head scratcher. > > NSS allows multiple nicknames to point to the same certificate so it > shouldn't be an issue. > > rob > >> >> Ivars >> >>> On 7 Jul 2022, at 17:36, Ivars Strazdins <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hello Rob, >>> thanks for answering! Please see my answers below. >>> >>>> On 7 Jul 2022, at 17:13, Rob Crittenden <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Ivars Strazdins via FreeIPA-users wrote: >>>>> Hi guys, >>>>> after upgrading FreeIPA from 4.6.8 to 4.9.8 I was able to run >>>>> ipa-healthcheck for the first time. >>>>> Now I am facing two errors: >>>>> >>>>> # ipa-healthcheck >>>>> Unhandler rdtype 256 >>>>> Unhandler rdtype 256 >>>>> Unhandler rdtype 256 >>>>> Unhandler rdtype 256 >>>>> Unhandler rdtype 256 >>>>> Unhandler rdtype 256 >>>>> Unhandler rdtype 256 >>>>> Unhandler rdtype 256 >>>>> >>>>> [ >>>>> { >>>>> "source": "pki.server.healthcheck.meta.csconfig", >>>>> "check": "CADogtagCertsConfigCheck", >>>>> * "result": "ERROR",* >>>>> "uuid": "92710f34-de94-4226-a81c-3e1d116c6410", >>>>> "when": "20220707130401Z", >>>>> "duration": "0.324141", >>>>> "kw": { >>>>> "key": "ca_signing", >>>>> "nickname": "caSigningCert cert-pki-ca", >>>>> "directive": "ca.signing.cert", >>>>> "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", >>>>> "msg": "Certificate 'caSigningCert cert-pki-ca' does not match >>>>> the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" >>>>> } >>>>> }, >>>> >>>> This compares the value of the certificate in the NSS database to the >>>> value in CS.cfg. They should match. >>>> >>>>> { >>>>> "source": "ipahealthcheck.ipa.certs", >>>>> "check": "IPADogtagCertsMatchCheck", >>>>> * "result": "ERROR",* >>>>> "uuid": "b26ad134-e798-4e21-961a-bc17899ac267", >>>>> "when": "20220707130408Z", >>>>> "duration": "0.162734", >>>>> "kw": { >>>>> "key": "caSigningCert cert-pki-ca", >>>>> "nickname": "caSigningCert cert-pki-ca", >>>>> "dbdir": "/etc/pki/pki-tomcat/alias", >>>>> "msg": "{nickname} certificate in NSS DB {dbdir} does not >>>>> match entry in LDAP" >>>>> } >>>>> } >>>> >>>> >>>> I find it unusual that the CA certificate is different in two different >>>> places, both CS.cfg and LDAP. It could be a formatting difference >>>> between the two. >>>> >>>> It's also strange that the IPA CA is included twice in the pki database. >>>> The caSigningCert cert-pki-ca and EXAMPLE.COM >>>> <http://example.com/> IPA CA should be the same >>>> certificate. Can you confirm that they are? >>> >>> Yes I get exactly the same output when I run commands >>> certutil -L -d /etc/pki/pki-tomcat/alias -a -n ‘DOMAIN.COM >>> <http://domain.com/> IPA CA’ >>> >>> and >>> certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca’ >>> >>>> >>>> Did you happen to run ipa-cacert-manage renew some time in the past? >>> >>> Not that I remember doing that recently, but this particular FreeIPA >>> instance is runnig for 5 years (CA being generated in July 2017) and I >>> may not remember everything. >>> Then again, I can’t remember any particular reason to >>> run ipa-cacert-manage. >>> >>> With kind regards, >>> Ivars >>> >>>> >>>> rob >>>> >>>> >>>>> ] >>>>> >>>>> >>>>> certutil output is: >>>>> >>>>> # certutil -L -d /etc/pki/pki-tomcat/alias/ >>>>> >>>>> Certificate Nickname Trust >>>>> Attributes >>>>> >>>>> SSL,S/MIME,JAR/XPI >>>>> >>>>> CN=ISRG Root X1,O=Internet Security Research Group,C=US C,, >>>>> CN=ISRG Root X2,O=Internet Security Research Group,C=US C,, >>>>> CN=R3,O=Let's Encrypt,C=US C,, >>>>> CN=E1,O=Let's Encrypt,C=US C,, >>>>> CN=R4,O=Let's Encrypt,C=US C,, >>>>> CN=E2,O=Let's Encrypt,C=US C,, >>>>> caSigningCert cert-pki-ca CTu,Cu,Cu >>>>> ocspSigningCert cert-pki-ca u,u,u >>>>> auditSigningCert cert-pki-ca u,u,Pu >>>>> subsystemCert cert-pki-ca u,u,u >>>>> EXAMPLE.COM <http://example.com/> <http://EXAMPLE.COM >>>>> <http://example.com/>> IPA CA >>>>> CTu,Cu,Cu >>>>> Server-Cert cert-pki-ca u,u,u >>>>> >>>>> >>>>> How do I fix these errors? >>>>> To explain above Letsencrypt certificates - our IPA servers Directory >>>>> server and Apache server use Letsencrypt certificates that have been >>>>> added to FreeIPA with command “ipa-server-certinstall -w -d ..." >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
