Jochen Kellner via FreeIPA-users wrote: > Alex Corcoles via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > writes: > >> Hi all, >> >> Sorry I didn't keep track of this more accurately. Some time ago, the >> ipa-healthcheck service started failing (September 23rd, I think). I >> took a look, and IIRC, it said something like some certs were about to >> expire. I ignored that (because they renew automatically?). But then I >> checked some time after that, and ipa-healthcheck started reporting: > ... >> "msg": "Certificate 'auditSigningCert cert-pki-ca' does not match the >> value of ca.audit_signing.cert in /etc/pki/pki-tomcat/ca/CS.cfg" > ... >> Any thoughts? > > This looks similar to > https://pagure.io/freeipa/issue/9277 > https://github.com/dogtagpki/pki/issues/2157
The KRA values are definitely not being updated. That shouldn't be the case for the CA values. rob > > I've used this play to fix my system: > --- > # file: freeipa-fixes.yml > - name: Fix problems in IPA installations or configurations after install / > postinstall or later > hosts: > - ipaservers > become: true > > tasks: > # ... > # Another healthcheck fix: when the PKI server certificate is renewed > # the new certificate is written to /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. > # It needs to be in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg too. > # { > # "source": "pki.server.healthcheck.meta.csconfig", > # "check": "KRADogtagCertsConfigCheck", > # "result": "ERROR", > # "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005", > # "when": "20221116030029Z", > # "duration": "0.024925", > # "kw": { > # "key": "kra_sslserver", > # "nickname": "Server-Cert cert-pki-ca", > # "directive": "kra.sslserver.cert", > # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", > # "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value > # of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" > # } > # }, > # This is likely a bug in /usr/libexec/ipa/certmonger/renew_ca_cert > - name: Fetch ca.sslserver.cert from /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > ansible.builtin.command: > cmd: awk -F '=' '/^ca.sslserver.cert=/ { print $2 }' > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > register: ca_sslserver_cert > check_mode: false > changed_when: false > > - name: Fetch kra.sslserver.cert= from > /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > ansible.builtin.command: > cmd: awk -F '=' '/^kra.sslserver.cert=/ { print $2 }' > /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > register: kra_sslserver_cert > check_mode: false > changed_when: false > > # - name: debug display the possibly different certs > # ansible.builtin.debug: > # var: "{{ item }}" > # loop: > # - ca_sslserver_cert.stdout > # - kra_sslserver_cert.stdout > > - name: Fix ipa-healthcheck, KRADogtagCertsConfigCheck > ansible.builtin.lineinfile: > dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > regexp: '^kra.sslserver.cert=' > line: 'kra.sslserver.cert={{ ca_sslserver_cert.stdout }}' > owner: pkiuser > group: pkiuser > mode: '0660' > backup: true > when: ca_sslserver_cert.stdout != kra_sslserver_cert.stdout > notify: Restart pki-tomcat > > # "key": "transportCert cert-pki-kra", > # "directive": "ca.connector.KRA.transportCert", > # "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", > # "msg": "Certificate 'transportCert cert-pki-kra' does not match the > value of > # ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/c > onf/ca/CS.cfg" > - name: Fetch Certificate 'transportCert cert-pki-kra' > ansible.builtin.shell: > cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'transportCert > cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }' > register: transportcert > check_mode: false > changed_when: false > > - name: Fetch Certificate ca.connector.KRA.transportCert > ansible.builtin.shell: > cmd: awk -F '=' '/^ca.connector.KRA.transportCert=/ { print $2 }' > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > register: ca_connector_transportcert > check_mode: false > changed_when: false > > - name: Fix ipa-healthcheck, ca.connector.KRA.transportCert > ansible.builtin.lineinfile: > dest: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > regexp: '^ca.connector.KRA.transportCert=' > line: 'ca.connector.KRA.transportCert={{ transportcert.stdout }}' > owner: pkiuser > group: pkiuser > mode: '0660' > backup: true > when: ca_connector_transportcert.stdout != transportcert.stdout > notify: Restart pki-tomcat > > - name: Fetch Certificate kra.transport.cert > ansible.builtin.shell: > cmd: awk -F '=' '/^kra.transport.cert=/ { print $2 }' > /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > register: kra_transport_cert > check_mode: false > changed_when: false > > - name: Fix ipa-healthcheck, kra.transport.cert > ansible.builtin.lineinfile: > dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > regexp: '^kra.transport.cert=' > line: 'kra.transport.cert={{ transportcert.stdout }}' > owner: pkiuser > group: pkiuser > mode: '0660' > backup: true > when: kra_transport_cert.stdout != transportcert.stdout > notify: Restart pki-tomcat > > - name: Fetch Certificate ca.connector.KRA.transportCert > ansible.builtin.shell: > cmd: awk -F '=' '/^ca.connector.KRA.transportCert=/ { print $2 }' > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > register: ca_connector_transportcert > check_mode: false > changed_when: false > > - name: Fix ipa-healthcheck, ca.connector.KRA.transportCert > ansible.builtin.lineinfile: > dest: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > regexp: '^ca.connector.KRA.transportCert=' > line: 'ca.connector.KRA.transportCert={{ transportcert.stdout }}' > owner: pkiuser > group: pkiuser > mode: '0660' > backup: true > when: ca_connector_transportcert.stdout != transportcert.stdout > notify: Restart pki-tomcat > > # "nickname": "subsystemCert cert-pki-ca", > # "directive": "kra.subsystem.cert", > # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", > # "msg": "Certificate 'subsystemCert cert-pki-ca' does not match the > value > # of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" > > - name: Fetch Certificate 'subsystemCert cert-pki-ca' > ansible.builtin.shell: > cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'subsystemCert > cert-pki-ca' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }' > register: subsystemcert > check_mode: false > changed_when: false > > - name: Fetch Certificate kra.subsystem.cert > ansible.builtin.shell: > cmd: awk -F '=' '/^kra.subsystem.cert=/ { print $2 }' > /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > register: kra_subsystem_cert > check_mode: false > changed_when: false > > - name: Fix ipa-healthcheck, kra.subsystem.cert > ansible.builtin.lineinfile: > dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > regexp: '^kra.subsystem.cert=' > line: 'kra.subsystem.cert={{ subsystemcert.stdout }}' > owner: pkiuser > group: pkiuser > mode: '0660' > backup: true > when: kra_subsystem_cert.stdout != subsystemcert.stdout > notify: Restart pki-tomcat > > # "nickname": "storageCert cert-pki-kra", > # "directive": "kra.storage.cert", > # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", > # "msg": "Certificate 'storageCert cert-pki-kra' does not match the value > # of kra.storage.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" > > - name: Fetch Certificate 'storageCert cert-pki-kra' > ansible.builtin.shell: > cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'storageCert > cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }' > register: storagecert > check_mode: false > changed_when: false > > - name: Fetch Certificate kra.storage.cert > ansible.builtin.shell: > cmd: awk -F '=' '/^kra.storage.cert=/ { print $2 }' > /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > register: kra_storage_cert > check_mode: false > changed_when: false > > - name: Fix ipa-healthcheck, kra.storage.cert > ansible.builtin.lineinfile: > dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > regexp: '^kra.storage.cert=' > line: 'kra.storage.cert={{ storagecert.stdout }}' > owner: pkiuser > group: pkiuser > mode: '0660' > backup: true > when: storagecert.stdout != kra_storage_cert.stdout > notify: Restart pki-tomcat > > # "nickname": "auditSigningCert cert-pki-kra", > # "directive": "kra.audit_signing.cert", > # "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", > # "msg": "Certificate 'auditSigningCert cert-pki-kra' does not match the > # value of kra.audit_signing.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg" > > - name: Fetch Certificate 'auditSigningCert cert-pki-kra' > ansible.builtin.shell: > cmd: certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'auditSigningCert > cert-pki-kra' -a | awk '/^[^-]/ { sub(/\r/, ""); printf("%s", $0) }' > register: auditsigningcert > check_mode: false > changed_when: false > > - name: Fetch Certificate kra.audit_signing.cert > ansible.builtin.shell: > cmd: awk -F '=' '/^kra.audit_signing.cert=/ { print $2 }' > /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > register: kra_audit_signing_cert > check_mode: false > changed_when: false > > - name: Fix ipa-healthcheck, kra.audit_signing.cert > ansible.builtin.lineinfile: > dest: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg > regexp: '^kra.audit_signing.cert=' > line: 'kra.audit_signing.cert={{ auditsigningcert.stdout }}' > owner: pkiuser > group: pkiuser > mode: '0660' > backup: true > when: kra_audit_signing_cert.stdout != auditsigningcert.stdout > notify: Restart pki-tomcat > > > handlers: > # ... > - name: Restart pki-tomcat > ansible.builtin.service: > name: pki-tomcatd@pki-tomcat.service > state: restarted > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue