Hi all,
Sorry I didn't keep track of this more accurately. Some time ago, the
ipa-healthcheck service started failing (September 23rd, I think). I took a
look, and IIRC, it said something like some certs were about to expire. I
ignored that (because they renew automatically?). But then I checked some time
after that, and ipa-healthcheck started reporting:
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "af584c7d-6288-4848-acf8-9e59946e298b",
"when": "20231004180708Z",
"duration": "0.093486",
"kw": {
"key": "ca_audit_signing",
"nickname": "auditSigningCert cert-pki-ca",
"directive": "ca.audit_signing.cert",
"configfile": "/etc/pki/pki-tomcat/ca/CS.cfg",
"msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the
value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg"
}
},
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "94d21af1-63d1-4bc8-80ff-dc974b3bafc2",
"when": "20231004180708Z",
"duration": "0.401906",
"kw": {
"key": "auditSigningCert cert-pki-ca",
"directive": "ca.audit_signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the
value of ca.audit_signing.cert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
}
}
]
I suppose the automatic renewal process went awry? I have seen messages on this
list with similar errors, but the path forward does not seem clear to me.
I'm running:
ipa-healthcheck-0.12-1.el9.noarch
ipa-healthcheck-core-0.12-1.el9.noarch
ipa-server-4.10.1-9.el9_2.x86_64
Coincidentally, some updates went out around those dates:
2023-08-26T06:56:04+0000 SUBDEBUG Upgraded: ipa-server-dns-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-7.el9_2.x86_64
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded:
python3-ipaserver-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-7.el9_2.x86_64
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded:
python3-ipaclient-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: python3-ipalib-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded:
ipa-server-common-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded:
ipa-client-common-4.10.1-7.el9_2.noarch
2023-08-26T06:56:05+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-7.el9_2.noarch
2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: ipa-server-dns-4.10.1-8.el9_2.noarch
2023-09-24T06:56:28+0000 SUBDEBUG Upgraded: ipa-server-4.10.1-8.el9_2.x86_64
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded:
python3-ipaserver-4.10.1-8.el9_2.noarch
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-client-4.10.1-8.el9_2.x86_64
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded:
python3-ipaclient-4.10.1-8.el9_2.noarch
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: python3-ipalib-4.10.1-8.el9_2.noarch
2023-09-24T06:56:29+0000 SUBDEBUG Upgraded: ipa-common-4.10.1-8.el9_2.noarch
2023-09-24T06:56:30+0000 SUBDEBUG Upgraded:
ipa-server-common-4.10.1-8.el9_2.noarch
2023-09-24T06:56:30+0000 SUBDEBUG Upgraded:
ipa-client-common-4.10.1-8.el9_2.noarch
2023-09-24T06:56:30+0000 SUBDEBUG Upgraded: ipa-selinux-4.10.1-8.el9_2.noarch
Any thoughts?
Thanks,
Álex
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
