Hi,
On Mon, Aug 26, 2024 at 9:13 PM Toma Morris via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Thanks, Rob,
>
> ipa-cacert-manage list succeeds, with ~13 lines of output that look like
> they're probably enumeration of certs. pki client init && pki ca cert find
> succeeds and returns ~20 results, with the following warning:
>
> WARNING: UNTRUSTED ISSUER encountered on
> 'CN=freeipa1.local.domain,O=LOCAL.DOMAIN' indicates a non-trusted CA cert
> 'CN=Certificate Authority,O=LOCAL.DOMAIN'
>
Can you paste the output of:
certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' -a
and then
grep 'ca.signing.cert=' /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
We'll be able to check if the CA has been renewed based on the serial
numbers and validity date.
It's possible that after renewal, it was not properly put in all the NSS
databases. Is the cert from the certutil output present in /etc/ipa/ca.crt?
flo
>
> -Toma
>
> On Mon, Aug 26, 2024 at 11:14 AM Rob Crittenden <rcrit...@redhat.com>
> wrote:
>
>> Toma Morris via FreeIPA-users wrote:
>> > I have taken over an existing deployment of FreeIPA that has not been
>> updated in some time. I would like to update it, but am getting a recurring
>> error and do not know how to fix it. Currently it is FreeIPA v4.9.6,
>> running on Fedora 34, running in VMs on VMWare. The current deployment is
>> two replicas that both act as write nodes and CA hosts (hostnames freeipa1
>> and freeipa2). There were previously two additional nodes that were shut
>> down (hostnames freeipa and freeipa3 -- according to what I can figure out,
>> they failed without being removed gracefully, so there are some traces of
>> them left in the system).
>> >
>> > ipa-healthcheck returns a number of errors. The following appear to be
>> the most relevant to my eye. The "unknown ca" error message is repeated in
>> most of them. I can provide the whole response if needed:
>> >
>> > ```
>> > Internal server error HTTPSConnectionPool(host='freeipa.local.domain',
>> port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3
>> (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object
>> at 0x7f6a5da14190>: Failed to establish a new connection: [Errno 113] No
>> route to host'))
>> > [
>> > ...
>> > {
>> > "source": "pki.server.healthcheck.meta.csconfig",
>> > "check": "CADogtagCertsConfigCheck",
>> > "result": "ERROR",
>> > "uuid": "6945db10-a79b-4d17-84e3-1e4a91bdfbeb",
>> > "when": "20240822190635Z",
>> > "duration": "0.229479",
>> > "kw": {
>> > "key": "ca_signing",
>> > "nickname": "caSigningCert cert-pki-ca",
>> > "directive": "ca.signing.cert",
>> > "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
>> > "msg": "Certificate 'caSigningCert cert-pki-ca' does not match
>> the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
>> > }
>> > },
>> > ...
>> > {
>> > "source": "ipahealthcheck.dogtag.ca",
>> > "check": "DogtagCertsConnectivityCheck",
>> > "result": "ERROR",
>> > "uuid": "9fbbcb00-4d48-4dad-95b2-8d0738f1d540",
>> > "when": "20240822190637Z",
>> > "duration": "0.016692",
>> > "kw": {
>> > "key": "cert_show_1",
>> > "msg": "Request for certificate failed, cannot connect to '
>> https://freeipa1.local.domain:443/ca/rest/certs/1': [SSL:
>> TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:2633)"
>> > }
>> > },
>> > ...
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING",
>> > "uuid": "d873830f-3e7f-4c12-b61a-567dca63bc0e",
>> > "when": "20240822190645Z",
>> > "duration": "0.040974",
>> > "kw": {
>> > "key": "ca_count_a_rec",
>> > "msg": "Got {count} ipa-ca A records, expected {expected}",
>> > "count": 3,
>> > "expected": 2
>> > }
>> > }
>> > ]
>> > ```
>> >
>> > Currently this prevents me from viewing any certificates in the UI, and
>> also prevents doing most operations involved with either updating the
>> existing nodes or adding a new one. If I try to promote a new replica, I
>> get this error. Likewise if I upgrade the OS on one of the existing nodes
>> and try `ipactl restart`. I have tried replacing the CA cert and got a
>> success message, but no change in behavior, and ipa-cert-fix finds nothing
>> to do:
>> >
>> > ```
>> > [root@freeipa1 ~]# ipa-cacert-manage -t C,, install
>> /home/tmorris/incommonCA-2024.ca
>> > Installing CA certificate, please wait
>> > Verified CN=InCommon RSA Server CA 2,O=Internet2,C=US
>> > CA certificate successfully installed
>> > The ipa-cacert-manage command was successful
>> > [root@freeipa1 ~]# ipa-cert-fix
>> > Nothing to do.
>> > The ipa-cert-fix command was successful
>> > ```
>> >
>> > I don't actually think the CA is used in the deployment. We use certs
>> from our CA everywhere, rather than from FreeIPA, so I believe if I turned
>> this into a CA-less deployment it would be fine, but I haven't found clear
>> documentation on how to do that. I'm ok with either removing the CA (and I
>> have snapshots in case I need to revert), or with fixing the CA, but as it
>> stands I can't do software update or add nodes to the cluster.
>> >
>> > What additional information can I provide? Thanks in advance,
>>
>> AFAIK there is no supported way to go from a cafull installation to a
>> caless installation (there is the other way around).
>>
>> Is the IPA CA available? I forget if `ipa-cacert-manage list` is
>> available in 4.9.6. If it is then you can check that way.
>>
>> You can also see if the CA is working at all using commands provided by
>> the CA itself. Perhaps something like:
>>
>> pki client init
>> pki ca cert find
>>
>> The results don't matter much as long as it isn't an error. If you get a
>> list of certs then your CA can at least read its database. This is
>> basically what the cert-find healthcheck does but it tacks on
>> authentication as well.
>>
>> rob
>>
>> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
