[Freeipa-users] Re: Testing requested - certificate checking tool

[Louis Lagendijk via FreeIPA-users]

On Thu, 2018-10-04 at 09:21 -0400, Rob Crittenden via FreeIPA-users
wrote:
> As part of a larger IPA "health" checker and driven largely by
> necessity
> I have the beginning of a certificate checking tool available at
> https://github.com/rcritten/checkcerts
> 
> It works for me in IPA 4.5.4, IPA 4.6.0 and IPA master (basically
> 4.7+
> patches). YMMV.
> 
> There is not much of a user-friendly interface to it. There are only
> two
> options, debug and verbose, which increase the amount of debug output
> (and it is immense).
> 
> The UI is limited because I expect it to be rolled up into some
> larger
> tool at some point and don't want to have to throw away a ton of
> framework code.
> 
> It needs to be run on an IPA master and checks the things I thought
> of
> to check. I've only done limited testing on mostly brand new installs
> so
> I'd appreciate feedback. Don't freak out of it spits out errors as it
> could just be bugs on my part :-)
> 
> It is read-only so it shouldn't blow up anything.
> 
> So if you want to run it against your system and send me the any
> output
> I can try to figure out if it is my tool that is the issue or your
> system (it is supposed to help pro-actively diagnose issues after
> all).
> 
> To use just clone it from git (or download ipa-checkcerts.py from the
> repo)
> 
> Run it as root:
here is a tar file with the output with no options and with --verbose
from my system. Please let me know when you need more information.
The free-ipa was setup a number of years ago (on Centos 7.1?) and
upgraded since with every new release.
I already fixed some permission issues. The 

Kind regards, Louis

P.s. /var/lib/ipa/ra-agent.pem contains the following:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 55 (0x37)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=HOME.FAZANT.NET, CN=Certificate Authority
        Validity
            Not Before: Apr 29 13:23:17 2018 GMT
            Not After : Apr 18 13:23:17 2020 GMT
        Subject: O=HOME.FAZANT.NET, CN=IPA RA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ea:41:9f:cc:2f:15:bc:b0:dc:ea:46:88:46:5d:
                    51:60:ca:66:ad:62:37:92:c9:85:9a:7d:8d:4a:c0:
                    8a:ef:c0:93:8b:3c:af:c1:e4:2e:b6:6d:be:ba:86:
                    33:95:bf:37:79:fb:a4:52:2c:99:6f:34:16:95:ed:
                    4e:c4:3c:9a:c0:c7:43:aa:17:9d:64:de:6f:12:9e:
                    a7:5d:8f:80:d5:68:23:08:3d:03:b0:08:0d:29:6b:
                    cf:b2:01:e9:39:82:54:63:c1:19:6c:6b:d6:df:9b:
                    b7:dd:1e:cf:42:82:01:47:a4:07:57:e5:f7:b0:e3:
                    a0:99:6e:52:d3:81:a8:dd:e1:94:1a:3a:d6:29:7a:
                    02:e4:31:94:37:44:b0:18:73:6d:de:b9:a8:a5:b3:
                    44:18:b9:66:7c:c0:53:bb:c0:5d:83:0f:31:c3:23:
                    fb:44:57:23:6c:7e:c2:7b:15:3e:a3:11:b3:56:4e:
                    3e:f4:4f:0e:7b:49:f4:8c:42:b3:91:1b:2c:ea:b6:
                    c7:fd:e7:9c:37:78:e3:a3:c7:2c:bf:e8:79:3b:85:
                    f2:33:a0:a1:de:22:5c:59:e7:2b:44:3e:c4:8d:8b:
                    a3:b8:b5:29:b9:17:6c:80:76:cc:25:d3:07:bd:6f:
                    a3:7f:b5:83:bd:c5:49:a9:38:fd:9a:d1:04:20:b7:
                    63:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:5C:36:EB:08:E2:0C:1F:19:0A:B3:0F:80:21:DA:EF:22:F
7:A9:3C:3D

            Authority Information Access: 
                OCSP - URI:http://ipa-ca.home.fazant.net/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client
Authentication
    Signature Algorithm: sha256WithRSAEncryption
         5d:f1:ec:81:c7:a9:10:b2:d2:7b:22:51:bd:85:87:67:6b:8c:
         f9:14:2b:6b:38:47:0a:72:d6:8b:48:ab:18:42:c7:d3:bb:36:
         27:e1:ab:7c:80:08:d0:40:ea:cf:96:23:87:bb:94:df:26:54:
         d0:8a:3e:fe:75:a3:c7:de:42:2e:ba:f4:b5:7e:74:7a:91:98:
         d6:2a:40:e0:0d:92:56:d6:04:f7:ee:78:19:70:df:81:32:fa:
         9d:c7:e4:9d:48:3f:e7:c2:6f:4e:28:e7:c6:1c:ae:f9:58:17:
         6e:f1:f1:14:7a:43:51:8c:45:f1:51:b9:90:92:3c:7e:12:9c:
         f4:e4:cb:14:e2:7e:c2:78:ea:68:97:20:96:dd:ea:d4:fb:59:
         03:87:ef:70:9d:d6:40:d3:a1:a3:d8:21:0a:8c:d9:61:47:28:
         88:d3:45:0b:3e:ad:cf:39:ac:0b:30:5b:41:5a:0e:cc:8f:69:
         ab:7d:74:ce:9b:15:82:4e:94:09:fe:6f:12:d9:2f:6e:c8:e0:
         86:09:58:bf:ad:16:22:97:aa:4b:12:58:7f:b0:30:1f:ce:57:
         e7:ca:c5:ef:82:54:79:75:ba:cf:99:ba:e1:e4:a2:d8:b5:e3:
         42:06:26:51:1a:95:68:60:ba:1c:eb:80:1f:f6:a2:45:b5:5a:
         69:d7:34:03

output.tar.gz
Description: application/compressed-tar

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org