[Freeipa-users] Re: CA Subsystem certificate

[Rob Crittenden via FreeIPA-users]

Travis West via FreeIPA-users wrote:
> Rob,
> 
> I installed the ipa-healthcheck that you got to work on CentOS 7, and run it. 
>  Got a couple of errors regarding the RA Agent cert:
> 
> [
>   {
>     "source": "ipahealthcheck.ipa.certs",
>     "kw": {
>       "msg": "Certificate validation for /var/lib/ipa/ra-agent.pem failed: ",
>       "reason": "",
>       "key": "/var/lib/ipa/ra-agent.pem"
>     },
>     "uuid": "a855346c-4998-4415-a819-ce83048e174e",
>     "duration": "0.100214",
>     "when": "20240404141916Z",
>     "check": "IPAOpenSSLChainValidation",
>     "result": "ERROR"
>   },
>   {
>     "source": "ipahealthcheck.ipa.certs",
>     "kw": {
>       "msg": "RA agent not found in LDAP"
>     },
>     "uuid": "b6efdb6c-ca33-4421-bdc5-c449e7d64591",
>     "duration": "0.027569",
>     "when": "20240404141916Z",
>     "check": "IPARAAgent",
>     "result": "ERROR"
>   }

It runs: openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
/var/lib/ipa/ra-agent.pem

> That first error, I'm not sure about what kind of validation it's performing. 
>  In my asn.1 output earlier I did include the ra-agent.pem and it looks like 
> it's correctly signed.
> As far as the "RA agent not found in LDAP", it looks to me like it is, and it 
> matches the cert in /var/lib/ipa/ra-agent.pem
> 
> # ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <uid=ipara,ou=people,o=ipaca> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # ipara, people, ipaca
> dn: uid=ipara,ou=people,o=ipaca
> description: 2;7;CN=Certificate Authority,O=IPA.****.NET;CN=IPA 
> RA,O=IPA.****.NET
> userCertificate:: MIID6j...ssifAg==
> uid: ipara
> sn: ipara
> usertype: agentType
> userstate: 1
> objectClass: cmsuser
> objectClass: top
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: person
> cn: ipara
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> # cat ra-agent.pem
> -----BEGIN CERTIFICATE-----
> MIID6j...ssifAg==
> -----END CERTIFICATE-----

Watch the 389-ds access log (buffer) while healthcheck runs. You should
see the failed search and the reason may be enlightening (or not).

You can also add --debug to the command and may be that will help.

rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue