Alex Corcoles via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> Hi all, > > Sorry I didn't keep track of this more accurately. Some time ago, the > ipa-healthcheck service started failing (September 23rd, I think). I > took a look, and IIRC, it said something like some certs were about to > expire. I ignored that (because they renew automatically?). But then I > checked some time after that, and ipa-healthcheck started reporting: ... > "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the > value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg" ... > Any thoughts? This looks similar to https://pagure.io/freeipa/issue/9277 https://github.com/dogtagpki/pki/issues/2157 I've used this play to fix my system: --- # file: freeipa-fixes.yml - name: Fix problems in IPA installations or configurations after install / postinstall or later hosts: - ipaservers become: true tasks: # ... # Another healthcheck fix: when the PKI server certificate is renewed # the new certificate is written to /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. # It needs to be in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg too. # { # "source": "pki.server.healthcheck.meta.csconfig", # "check": "KRADogtagCertsConfigCheck", # "result": "ERROR", # "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005", # "when": "20221116030029Z", # "duration": "0.024925", # "kw": { # "key": "kra_sslserver", # "nickname": "Server-Cert cert-pki-ca", # "directive": "kra.sslserver.cert", # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", # "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value # of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" # } # }, # This is likely a bug in /usr/libexec/ipa/certmonger/renew_ca_cert - name: Fetch ca.sslserver.cert from /var/lib/pki/pki-tomcat/ca/conf/CS.cfg ansible.builtin.command: cmd: awk -F '=' '/^ca.sslserver.cert=/ { print $2 }' /var/lib/pki/pki-tomcat/ca/conf/CS.cfg register: ca_sslserver_cert check_mode: false changed_when: false - name: Fetch kra.sslserver.cert= from /var/lib/pki/pki-tomcat/kra/conf/CS.cfg ansible.builtin.command: cmd: awk -F '=' '/^kra.sslserver.cert=/ { print $2 }' /var/lib/pki/pki-tomcat/kra/conf/CS.cfg register: kra_sslserver_cert check_mode: false changed_when: false # - name: debug display the possibly different certs # ansible.builtin.debug: # var: "{{ item }}" # loop: # - ca_sslserver_cert.stdout # - kra_sslserver_cert.stdout - name: Fix ipa-healthcheck, KRADogtagCertsConfigCheck ansible.builtin.lineinfile: dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg regexp: '^kra.sslserver.cert=' line: 'kra.sslserver.cert={{ ca_sslserver_cert.stdout }}' owner: pkiuser group: pkiuser mode: '0660' backup: true when: ca_sslserver_cert.stdout != kra_sslserver_cert.stdout notify: Restart pki-tomcat # "key": "transportCert cert-pki-kra", # "directive": "ca.connector.KRA.transportCert", # "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", # "msg": "Certificate 'transportCert cert-pki-kra' does not match the value of # ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/c onf/ca/CS.cfg" - name: Fetch Certificate 'transportCert cert-pki-kra' ansible.builtin.shell: cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'transportCert cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }' register: transportcert check_mode: false changed_when: false - name: Fetch Certificate ca.connector.KRA.transportCert ansible.builtin.shell: cmd: awk -F '=' '/^ca.connector.KRA.transportCert=/ { print $2 }' /var/lib/pki/pki-tomcat/ca/conf/CS.cfg register: ca_connector_transportcert check_mode: false changed_when: false - name: Fix ipa-healthcheck, ca.connector.KRA.transportCert ansible.builtin.lineinfile: dest: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg regexp: '^ca.connector.KRA.transportCert=' line: 'ca.connector.KRA.transportCert={{ transportcert.stdout }}' owner: pkiuser group: pkiuser mode: '0660' backup: true when: ca_connector_transportcert.stdout != transportcert.stdout notify: Restart pki-tomcat - name: Fetch Certificate kra.transport.cert ansible.builtin.shell: cmd: awk -F '=' '/^kra.transport.cert=/ { print $2 }' /var/lib/pki/pki-tomcat/kra/conf/CS.cfg register: kra_transport_cert check_mode: false changed_when: false - name: Fix ipa-healthcheck, kra.transport.cert ansible.builtin.lineinfile: dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg regexp: '^kra.transport.cert=' line: 'kra.transport.cert={{ transportcert.stdout }}' owner: pkiuser group: pkiuser mode: '0660' backup: true when: kra_transport_cert.stdout != transportcert.stdout notify: Restart pki-tomcat - name: Fetch Certificate ca.connector.KRA.transportCert ansible.builtin.shell: cmd: awk -F '=' '/^ca.connector.KRA.transportCert=/ { print $2 }' /var/lib/pki/pki-tomcat/ca/conf/CS.cfg register: ca_connector_transportcert check_mode: false changed_when: false - name: Fix ipa-healthcheck, ca.connector.KRA.transportCert ansible.builtin.lineinfile: dest: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg regexp: '^ca.connector.KRA.transportCert=' line: 'ca.connector.KRA.transportCert={{ transportcert.stdout }}' owner: pkiuser group: pkiuser mode: '0660' backup: true when: ca_connector_transportcert.stdout != transportcert.stdout notify: Restart pki-tomcat # "nickname": "subsystemCert cert-pki-ca", # "directive": "kra.subsystem.cert", # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", # "msg": "Certificate 'subsystemCert cert-pki-ca' does not match the value # of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" - name: Fetch Certificate 'subsystemCert cert-pki-ca' ansible.builtin.shell: cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'subsystemCert cert-pki-ca' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }' register: subsystemcert check_mode: false changed_when: false - name: Fetch Certificate kra.subsystem.cert ansible.builtin.shell: cmd: awk -F '=' '/^kra.subsystem.cert=/ { print $2 }' /var/lib/pki/pki-tomcat/kra/conf/CS.cfg register: kra_subsystem_cert check_mode: false changed_when: false - name: Fix ipa-healthcheck, kra.subsystem.cert ansible.builtin.lineinfile: dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg regexp: '^kra.subsystem.cert=' line: 'kra.subsystem.cert={{ subsystemcert.stdout }}' owner: pkiuser group: pkiuser mode: '0660' backup: true when: kra_subsystem_cert.stdout != subsystemcert.stdout notify: Restart pki-tomcat # "nickname": "storageCert cert-pki-kra", # "directive": "kra.storage.cert", # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", # "msg": "Certificate 'storageCert cert-pki-kra' does not match the value # of kra.storage.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" - name: Fetch Certificate 'storageCert cert-pki-kra' ansible.builtin.shell: cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'storageCert cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }' register: storagecert check_mode: false changed_when: false - name: Fetch Certificate kra.storage.cert ansible.builtin.shell: cmd: awk -F '=' '/^kra.storage.cert=/ { print $2 }' /var/lib/pki/pki-tomcat/kra/conf/CS.cfg register: kra_storage_cert check_mode: false changed_when: false - name: Fix ipa-healthcheck, kra.storage.cert ansible.builtin.lineinfile: dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg regexp: '^kra.storage.cert=' line: 'kra.storage.cert={{ storagecert.stdout }}' owner: pkiuser group: pkiuser mode: '0660' backup: true when: storagecert.stdout != kra_storage_cert.stdout notify: Restart pki-tomcat # "nickname": "auditSigningCert cert-pki-kra", # "directive": "kra.audit_signing.cert", # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", # "msg": "Certificate 'auditSigningCert cert-pki-kra' does not match the # value of kra.audit_signing.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" - name: Fetch Certificate 'auditSigningCert cert-pki-kra' ansible.builtin.shell: cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'auditSigningCert cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }' register: auditsigningcert check_mode: false changed_when: false - name: Fetch Certificate kra.audit_signing.cert ansible.builtin.shell: cmd: awk -F '=' '/^kra.audit_signing.cert=/ { print $2 }' /var/lib/pki/pki-tomcat/kra/conf/CS.cfg register: kra_audit_signing_cert check_mode: false changed_when: false - name: Fix ipa-healthcheck, kra.audit_signing.cert ansible.builtin.lineinfile: dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg regexp: '^kra.audit_signing.cert=' line: 'kra.audit_signing.cert={{ auditsigningcert.stdout }}' owner: pkiuser group: pkiuser mode: '0660' backup: true when: kra_audit_signing_cert.stdout != auditsigningcert.stdout notify: Restart pki-tomcat handlers: # ... - name: Restart pki-tomcat ansible.builtin.service: name: pki-tomcatd@pki-tomcat.service state: restarted -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue