[Freeipa-users] Re: ipa healthcheck issue

Thu, 14 Jan 2021 09:17:53 -0800 

Patterson, David via FreeIPA-users wrote:
> Hello,
> 
> How or what does it use to compare with?
> 
> I see a cert in the nssdb with the correct nickname.
> 
> certutil -L -d /etc/pki/nssdb
> 
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> 
> host/idm2.x.y                                           u,u,u
> 
> I also see the other side of the same coin....
> getcert list -c IPA | grep -A15 20191122115414
> Request ID '20191122115414':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/nssdb',nickname='host/idm2.x.y',token='NSS 
> Certificate DB'
>         certificate: 
> type=NSSDB,location='/etc/pki/nssdb',nickname='host/idm2.x.y',token='NSS 
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=X.Y
>         subject: CN=idm2.x.y,O=X.Y
>         expires: 2021-11-22 11:54:15 UTC
>         principal name: host/idm2.x.y@X.Y
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> 
> Not sure that I want to delete either.

Ok, I looked into this further and I was wrong again (a bit).

healthcheck does miss checking machine certificates but this isn't one
of them.

A machine cert gets installed into /etc/ipa/nssdb. My memory had things
backwards. We moved from /etc/pki/nssdb -> /etc/ipa/nssdb not the other way.

The nickname is inconsistent too. We currently use 'Local IPA host' and
in the distant past (3.0.0) it was 'IPA Machine Certificate - <fqdn>'.

So I can only assume that someone in the manually generated this request
for some reason.

rob

> 
> Thanks!
> 
> David Patterson
> 
> -----Original Message-----
> From: Rob Crittenden <rcrit...@redhat.com> 
> Sent: Monday, January 11, 2021 11:07 AM
> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> Cc: Patterson, David <dpa...@sandia.gov>
> Subject: [EXTERNAL] Re: [Freeipa-users] ipa healthcheck issue
> 
> Patterson, David via FreeIPA-users wrote:
>> Hello,
>>
>> Â
>>
>> Running RHEL 7.9, ipa 4.6.8-5 and freeipa-healthcheck 0.3-2 backported 
>> for RHEL 7.
>>
>> Â
>>
>> Ipa healthcheck output
>>
>> [
>>
>>   {
>>
>>     "source": "ipahealthcheck.ipa.certs",
>>
>>     "kw": {
>>
>>       "msg": "Unable to retrieve cert 'host/idm2.X.Y' from
>> '/etc/pki/nssdb': Failed to get host/idm2.X.Y",
>>
>>       "nickname": "host/idm2.X.Y",
>>
>>       "dbdir": "/etc/pki/nssdb",
>>
>>       "key": "20191122115414",
>>
>>       "error": "Failed to get host/idm2.X.Y"
>>
>>     },
>>
>>     "uuid": "64d9b118-e588-4dbb-99e1-6ef11e495ed5",
>>
>>     "duration": "0.382404",
>>
>>     "when": "20210107005140Z",
>>
>>     "check": "IPACertfileExpirationCheck",
>>
>>     "result": "ERROR"
>>
>>   },
>>
>>   {
>>
>>     "source": "ipahealthcheck.ipa.certs",
>>
>>     "kw": {
>>
>>       "msg": "Unknown certmonger id 20191122115414",
>>
>>       "key": "20191122115414"
>>
>>     },
>>
>>     "uuid": "1b4bba70-08e0-43dc-8984-657cc47fd339",
>>
>>     "duration": "1.109733",
>>
>>     "when": "20210107005142Z",
>>
>>     "check": "IPACertTracking",
>>
>>     "result": "WARNING"
>>
>>   }
>>
>> ]
>>
>> Â
>>
>> How do I correct these issues?
> 
> They are two sides of the same coin. You have an unknown certificate request 
> being tracked by certmonger.
> 
> In this case the nickname host/idm2.X.Y in /etc/pki/nssdb.
> 
> Looks like there isn't a nickname with this value in that NSS database which 
> explains the first error.
> 
> I suspect that someone did some manual tracking changes and got this one 
> wrong. It isn't something that IPA would have configured.
> 
> Is it safe to delete this tracking request? Probably. But I'd double and 
> triple check before doing so. Its unclear what the original purpose of 
> creating it was.
> 
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to