> You don't say what distribution or release you are running.
Apologies—I meant to add that and then got distracted. They are both CentoOS
Stream 9 running 4.9.8 (master) and 4.10.0 (replica). I was actually surprised
they aren't the same version—I'm not sure how that happened TBH.
> I'd
> recommend installing {free}ipa-healthcheck and seeing if that detects
> any issues.
Thank you! I didn't know it existed—that's very useful.
On the master it only identifies that the replica is not functioning correctly.
On the replica, the first thing it identified was the ldap / NSS DB mismatch on
'subsystemCert cert-pki-ca'—that I fixed with the instruction on
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
and pki-tomcatd now starts. Although oddly ipa-healthcheck is still showing
it as a error. And it seems other renewed certificates were not updated in the
replica's ldap either:
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "b64ca4ed-889b-4707-88f8-f6231adaaecb",
"when": "20241019190638Z",
"duration": "0.095653",
"kw": {
"key": "cert_show_ra",
"error": "Certificate operation cannot be completed: Request failed with
status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x13 not
found (404)",
"serial": "19",
"msg": "Serial number not found: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "ERROR",
"uuid": "63e59ed6-42f8-4c7c-b884-1ff18aa879db",
"when": "20241019190644Z",
"duration": "0.654190",
"kw": {
"key": "ocspSigningCert cert-pki-ca",
"nickname": "ocspSigningCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "{nickname} certificate in NSS DB {dbdir} does not match entry in
LDAP"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "ERROR",
"uuid": "f09f4527-a9fa-4b28-8433-7c802cf6e6b7",
"when": "20241019190644Z",
"duration": "0.725190",
"kw": {
"key": "subsystemCert cert-pki-ca",
"nickname": "subsystemCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "{nickname} certificate in NSS DB {dbdir} does not match entry in
LDAP"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "ERROR",
"uuid": "32caa7a6-1eec-469b-9ba8-9e75a76f0a7f",
"when": "20241019190644Z",
"duration": "0.792584",
"kw": {
"key": "auditSigningCert cert-pki-ca",
"nickname": "auditSigningCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "{nickname} certificate in NSS DB {dbdir} does not match entry in
LDAP"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPARAAgent",
"result": "ERROR",
"uuid": "7f7b4a56-6c93-4b11-90f1-86a658c6259a",
"when": "20241019190645Z",
"duration": "0.021523",
"kw": {
"key": "description_mismatch",
"expected": "2;19;CN=Certificate Authority,O=SIMPLYWS.COM;CN=IPA
RA,O=SIMPLYWS.COM",
"got": "2;7;CN=Certificate Authority,O=SIMPLYWS.COM;CN=IPA
RA,O=SIMPLYWS.COM",
"msg": "RA agent description does not match. Found {got} in LDAP and
expected {expected}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "22545043-3a4d-43d7-af30-c6da0432ce8b",
"when": "20241019190645Z",
"duration": "0.120478",
"kw": {
"key": "20221129200204",
"serial": 19,
"error": "Certificate operation cannot be completed: Request failed with
status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x13 not
found (404)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "9100d431-8156-4951-99f2-04bae21f8044",
"when": "20241019190645Z",
"duration": "0.294161",
"kw": {
"key": "20221129200205",
"serial": 17,
"error": "Certificate operation cannot be completed: Request failed with
status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x11 not
found (404)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "9f30d1ea-03f5-44b5-abf8-7e369df23fb5",
"when": "20241019190646Z",
"duration": "0.468931",
"kw": {
"key": "20221129200209",
"serial": 15,
"error": "Certificate operation cannot be completed: Request failed with
status 404: Non-2xx response from CA REST API: 404. Certificate ID 0xf not
found (404)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "05d6e5cf-25e4-47c3-ac54-142e8f0a79cd",
"when": "20241019190646Z",
"duration": "0.644094",
"kw": {
"key": "20221129200212",
"serial": 16,
"error": "Certificate operation cannot be completed: Request failed with
status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x10 not
found (404)",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "f73d24c3-ecd2-45bb-81a8-95430d31ebd4",
"when": "20241019190646Z",
"duration": "1.138467",
"kw": {
"key": "20221129200213",
"serial": 1,
"error": "Failed to authenticate to CA REST API",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "a7d3a152-ce3a-4240-8e70-c959a11a710a",
"when": "20241019190646Z",
"duration": "1.367480",
"kw": {
"key": "20221129200214",
"serial": 13,
"error": "Failed to authenticate to CA REST API",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "7fb7d331-667b-4010-8678-a824bbc4bd02",
"when": "20241019190647Z",
"duration": "1.548316",
"kw": {
"key": "20221129195719",
"serial": 12,
"error": "Failed to authenticate to CA REST API",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "3728dfb8-0e7b-4ff7-b1fe-bc09ba6f58cf",
"when": "20241019190647Z",
"duration": "1.797597",
"kw": {
"key": "20221129195645",
"serial": 11,
"error": "Failed to authenticate to CA REST API",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "9b9afa55-06f6-4794-a6e8-7abb1c55b8ca",
"when": "20241019190647Z",
"duration": "1.981098",
"kw": {
"key": "20221129200256",
"serial": 14,
"error": "Failed to authenticate to CA REST API",
"msg": "Request for certificate serial number {serial} in request {key}
failed: {error}"
}
}
]
All of which I guess points to a replication problem? Although changes that
I've made to users have replicated fine, including ones after the certificate
renewal and ipa-replica-conncheck doesn't report any problems...
Would 'ipa-replica-manage re-initialize' be a reasonable approach to resolving
those missing entries?
Thank you for your help—it's much appreciated.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
