Eric Ashley via FreeIPA-users wrote:
> Hello,
>
> I installed FreeIPA version 4.8.7-1.fc32.x86_64 on 24 July 2020. I've
> since kept current with the Fedora release channels, up to
> 4.9.10-1.fc36. I don't have any Windoze AD domains configured, just
> FreeIPA. I followed the steps to enable KRA back when it seemed to be
> required to force encryption of all wire traffic. I'm sure that I must
> have missed some steps, though everything seems to be working correctly.
Not sure what you mean by "wire traffic". It's a vault so perhaps you
stored some keys there. IPA already encrypts all its own internal traffic.
> I've checked the list archive and can't see any instances that are
> related to the issues ipa-healthcheck reports. ipa-healthcheck reports
> the following:
>
> [
> {
> "source": "ipahealthcheck.ipa.idns",
> "check": "IPADNSSystemRecordsCheck",
> "result": "WARNING",
> "uuid": "432017b9-ef12-44a5-8843-35fd6424d85f",
> "when": "20220708144958Z",
> "duration": "0.031444",
> "kw": {
> "msg": "Expected URI record missing",
> "key":
> "_kerberos.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com."
> }
> },
> {
> "source": "ipahealthcheck.ipa.idns",
> "check": "IPADNSSystemRecordsCheck",
> "result": "WARNING",
> "uuid": "498649c8-1460-4f34-807b-1b06c08f3aec",
> "when": "20220708144958Z",
> "duration": "0.031469",
> "kw": {
> "msg": "Expected URI record missing",
> "key":
> "_kerberos.ipa.example.com.:krb5srv:m:udp:ipaserv.ipa.example.com."
> }
> },
> {
> "source": "ipahealthcheck.ipa.idns",
> "check": "IPADNSSystemRecordsCheck",
> "result": "WARNING",
> "uuid": "3a6c7f80-3ce9-4ba0-b821-d731eb6929a3",
> "when": "20220708144958Z",
> "duration": "0.033407",
> "kw": {
> "msg": "Expected URI record missing",
> "key":
> "_kpasswd.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com."
> }
> },
URI records are not required but your installation supports them. If you
want to utilize them you can add the missing ones. Or you can ignore these.
> {
>
> "source": "ipahealthcheck.ipa.proxy",
> "check": "IPAProxySecretCheck",
> "result": "CRITICAL",
> "uuid": "6820b5b3-08a9-4632-a834-a71d1ae0d84b",
> "when": "20220708144958Z",
> "duration": "0.000894",
> "kw": {
> "key": "proxy_secrets",
> "proxy_conf": "/etc/httpd/conf.d/ipa-pki-proxy.conf",
> "msg": "No ProxyPassMatch secrets found in {proxy_conf}"
> }
> },
There should be a shared secret for the AJP communication between IPA
and the CA.
in /etc/httpd/conf.d/ipa-pki-proxy.conf you should have a few lines like:
ProxyPassMatch ajp://localhost:8009 secret=<something>
The same secret should be in /etc/pki/pki-tomcat/server.xml:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
address="127.0.0.1" secret="<something>" name="Connector1"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
address="::1" secret="<something>" name="Connector2"/>
> {
> "source": "pki.server.healthcheck.meta.csconfig",
> "check": "KRADogtagCertsConfigCheck",
> "result": "ERROR",
> "uuid": "1978555c-72d6-47af-8a21-de3967002eca",
> "when": "20220708145007Z",
> "duration": "0.065948",
> "kw": {
> "key": "kra_sslserver",
> "nickname": "Server-Cert cert-pki-ca",
> "directive": "kra.sslserver.cert",
> "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
> "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the
> value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
> }
> },
> {
> "source": "pki.server.healthcheck.meta.csconfig",
> "check": "KRADogtagCertsConfigCheck",
> "result": "ERROR",
> "uuid": "cbf470d2-0d58-4c24-aba0-8a62cc399ffe",
> "when": "20220708145007Z",
> "duration": "0.114728",
> "kw": {
> "key": "kra_subsystem",
>
> "nickname": "subsystemCert cert-pki-ca",
> "directive": "kra.subsystem.cert",
> "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
> "msg": "Certificate 'subsystemCert cert-pki-ca' does not match the
> value of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
> }
> }
> ]
For some reason the CA retains PEM copies of its certificates in its
configuration files. I don't believe this is a deal breaker but probably
worth investigating anyway. The paths, nicknames, etc are all listed in
the output.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
