Hi Rob, > Have you recently replaced the CA chain and/or the IPA server > cert(s)? > Apache and/or DS? > No, I have neither replaced any of the internal certs nor the certficate chain.
> > > This means that one of the CA subsystem certificates was not found by > the CA which is unexpected, hence the backtrace. You can try running > healthcheck again and then watching the DS access log to find the > query > that returned nothing (err=32). That will tell you which subject it > couldn't find. I've searched the slapd access log while running ipa-healtcheck for err=32. The log is very long but there are "only" four occurences of err=32. I think this should be the relevant lines that share the same op/operation(?) value. [...] [26/Jan/2025:12:56:33.608141106 +0100] conn=1847 op=10 SRCH base="cn=DNSSEC,cn=idm- [...],cn=masters,cn=ipa,cn=etc,dc=idm,dc=[...],dc=[...],dc=[...]" scope=0 filter="(objectClass=*)" attrs="cn" [26/Jan/2025:12:56:33.608208600 +0100] conn=1847 op=10 RESULT err=32 tag=101 nentries=0 wtime=0.000048841 optime=0.000068771 etime=0.000116566 [...] [26/Jan/2025:12:56:36.433609457 +0100] conn=1857 op=3 SRCH base="cn=changelog5,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-changelogmaxentries" [26/Jan/2025:12:56:36.433639656 +0100] conn=1857 op=3 RESULT err=32 tag=101 nentries=0 wtime=0.000173461 optime=0.000030915 etime=0.000203514 [...] [26/Jan/2025:12:56:36.434644495 +0100] conn=1847 op=18 SRCH base="cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="* aci" [26/Jan/2025:12:56:36.434671918 +0100] conn=1847 op=18 RESULT err=32 tag=101 nentries=0 wtime=0.000090959 optime=0.000028427 etime=0.000118526 [...] [26/Jan/2025:12:57:14.989604635 +0100] conn=5 op=8240 SRCH base="cn=docarch.[...],cn=masters,cn=ipa,cn=etc,dc=idm,dc=[...],dc=[... ],dc=[...]" scope=0 filter="(objectClass=*)" attrs=ALL [26/Jan/2025:12:57:14.989643954 +0100] conn=5 op=8240 RESULT err=32 tag=101 nentries=0 wtime=0.000037066 optime=0.000039544 etime=0.000076147 [...] If I did understand the logs right,there are a few objects missing: A DNSSEC cert, a changelog, something replica related and a service certificate I've signed by the CA. > > I can't explain why a certificate would go missing. Did you have any > recent db corruption? Did anyone attempt to "clean up" some records? > I can rule out the "someone cleaning up" part, but I can't rule out a database corruption. Is there maybe a way to check for this? > Hannes -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
