Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

running ipa-healthcheck --failures-only on newly installed ipa-server lists ERROR for IPACertfileExpirationCheck #342

Open
4gemenot opened this issue Oct 17, 2024 · 17 comments
Open

running ipa-healthcheck --failures-only on newly installed ipa-server lists ERROR for IPACertfileExpirationCheck #342

4gemenot opened this issue Oct 17, 2024 · 17 comments

Comments

@4gemenot
Copy link

I'm getting a list of unable to find certificate.

ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072907: Request id 20240828072907: Unable to retrieve cert 'auditSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072908: Request id 20240828072908: Unable to retrieve cert 'ocspSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072909: Request id 20240828072909: Unable to retrieve cert 'subsystemCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072910: Request id 20240828072910: Unable to retrieve cert 'caSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072911: Request id 20240828072911: Unable to retrieve cert 'Server-Cert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072913: Request id 20240828072913: Unable to retrieve cert 'Server-Cert' from '/etc/dirsrv/slapd-IDM-SEMAT-GOV-SA': Unable to find certificate

Running 'getcert list' all certificates show with status MONITORING,
@flo-renaud
Copy link
Contributor

Can you provide the output of ipa-healthcheck --source ipahealthcheck.ipa.certs --check IPACertfileExpirationCheck --verbose --debug ?

@4gemenot
Copy link
Author

[root@s1biok20idmp01 ~]# ipa-healthcheck --source ipahealthcheck.ipa.certs --check IPACertfileExpirationCheck --verbose --debug
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
httpd is configured
kadmin is configured
dirsrv is configured
pki-tomcatd is configured
install is not configured
krb5kdc is configured
named is configured
filestore has files
Reading Dogtag specific config values
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
httpd is configured
kadmin is configured
dirsrv is configured
pki-tomcatd is configured
install is not configured
krb5kdc is configured
named is configured
filestore has files
importing all plugin modules in ipaserver.plugins...
importing plugin module ipaserver.plugins.aci
importing plugin module ipaserver.plugins.automember
importing plugin module ipaserver.plugins.automount
importing plugin module ipaserver.plugins.baseldap
ipaserver.plugins.baseldap is not a valid plugin module
importing plugin module ipaserver.plugins.baseuser
importing plugin module ipaserver.plugins.batch
importing plugin module ipaserver.plugins.ca
importing plugin module ipaserver.plugins.caacl
importing plugin module ipaserver.plugins.cert
importing plugin module ipaserver.plugins.certmap
importing plugin module ipaserver.plugins.certprofile
importing plugin module ipaserver.plugins.config
importing plugin module ipaserver.plugins.delegation
importing plugin module ipaserver.plugins.dns
importing plugin module ipaserver.plugins.dnsserver
importing plugin module ipaserver.plugins.dogtag
importing plugin module ipaserver.plugins.domainlevel
importing plugin module ipaserver.plugins.group
importing plugin module ipaserver.plugins.hbac
ipaserver.plugins.hbac is not a valid plugin module
importing plugin module ipaserver.plugins.hbacrule
importing plugin module ipaserver.plugins.hbacsvc
importing plugin module ipaserver.plugins.hbacsvcgroup
importing plugin module ipaserver.plugins.hbactest
importing plugin module ipaserver.plugins.host
importing plugin module ipaserver.plugins.hostgroup
importing plugin module ipaserver.plugins.idp
importing plugin module ipaserver.plugins.idrange
importing plugin module ipaserver.plugins.idviews
importing plugin module ipaserver.plugins.internal
importing plugin module ipaserver.plugins.join
importing plugin module ipaserver.plugins.krbtpolicy
importing plugin module ipaserver.plugins.ldap2
importing plugin module ipaserver.plugins.location
importing plugin module ipaserver.plugins.migration
importing plugin module ipaserver.plugins.misc
importing plugin module ipaserver.plugins.netgroup
importing plugin module ipaserver.plugins.otp
ipaserver.plugins.otp is not a valid plugin module
importing plugin module ipaserver.plugins.otpconfig
importing plugin module ipaserver.plugins.otptoken
importing plugin module ipaserver.plugins.passkeyconfig
importing plugin module ipaserver.plugins.passwd
importing plugin module ipaserver.plugins.permission
importing plugin module ipaserver.plugins.ping
importing plugin module ipaserver.plugins.pkinit
importing plugin module ipaserver.plugins.privilege
importing plugin module ipaserver.plugins.pwpolicy
importing plugin module ipaserver.plugins.rabase
ipaserver.plugins.rabase is not a valid plugin module
importing plugin module ipaserver.plugins.radiusproxy
importing plugin module ipaserver.plugins.realmdomains
importing plugin module ipaserver.plugins.role
importing plugin module ipaserver.plugins.schema
importing plugin module ipaserver.plugins.selfservice
importing plugin module ipaserver.plugins.selinuxusermap
importing plugin module ipaserver.plugins.server
importing plugin module ipaserver.plugins.serverrole
importing plugin module ipaserver.plugins.serverroles
importing plugin module ipaserver.plugins.service
importing plugin module ipaserver.plugins.servicedelegation
importing plugin module ipaserver.plugins.session
importing plugin module ipaserver.plugins.stageuser
importing plugin module ipaserver.plugins.subid
importing plugin module ipaserver.plugins.sudo
ipaserver.plugins.sudo is not a valid plugin module
importing plugin module ipaserver.plugins.sudocmd
importing plugin module ipaserver.plugins.sudocmdgroup
importing plugin module ipaserver.plugins.sudorule
importing plugin module ipaserver.plugins.topology
importing plugin module ipaserver.plugins.trust
importing plugin module ipaserver.plugins.user
importing plugin module ipaserver.plugins.vault
importing plugin module ipaserver.plugins.virtual
ipaserver.plugins.virtual is not a valid plugin module
importing plugin module ipaserver.plugins.whoami
importing plugin module ipaserver.plugins.xmlserver
Created connection context.ldap2_140434900316608
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
httpd is configured
kadmin is configured
dirsrv is configured
pki-tomcatd is configured
install is not configured
krb5kdc is configured
named is configured
filestore has files
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
httpd is configured
kadmin is configured
dirsrv is configured
pki-tomcatd is configured
install is not configured
krb5kdc is configured
named is configured
filestore has files
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
Calling check <ipahealthcheck.meta.services.certmonger object at 0x7fb98b0ae6a0>
Starting external process
args=['/bin/systemctl', 'is-active', 'certmonger.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.dirsrv object at 0x7fb98b09dd00>
Starting external process
args=['/bin/systemctl', 'is-active', '[email protected]']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.gssproxy object at 0x7fb98b09d6a0>
Starting external process
args=['/bin/systemctl', 'is-active', 'gssproxy.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.httpd object at 0x7fb98b09d790>
Starting external process
args=['/bin/systemctl', 'is-active', 'httpd.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.ipa_custodia object at 0x7fb98b09d220>
retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-SEMAT-GOV-SA.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fb98bc62580>
Starting external process
args=['/bin/systemctl', 'is-active', 'ipa-custodia.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.ipa_otpd object at 0x7fb98b09d550>
Starting external process
args=['/bin/systemctl', 'is-active', 'ipa-otpd.socket']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.kadmin object at 0x7fb98b087190>
Starting external process
args=['/bin/systemctl', 'is-active', 'kadmin.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.krb5kdc object at 0x7fb98b087c10>
Starting external process
args=['/bin/systemctl', 'is-active', 'krb5kdc.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.named object at 0x7fb98b087d30>
Starting external process
args=['/bin/systemctl', 'is-active', 'named.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.ods_enforcerd object at 0x7fb98b087e50>
server s1biok20idmp01.idm.semat.gov.sa does not run role DNSSEC
Calling check <ipahealthcheck.meta.services.ipa_dnskeysyncd object at 0x7fb98b087fa0>
Starting external process
args=['/bin/systemctl', 'is-active', 'ipa-dnskeysyncd.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.pki_tomcatd object at 0x7fb98b087730>
request POST http://s1biok20idmp01.idm.semat.gov.sa:8080/ca/admin/ca/getStatus
request body ''
response status 200
response headers Content-Type: application/json
Content-Length: 122
Date: Sun, 20 Oct 2024 05:51:03 GMT

response body (decoded): b'{\n "Response" : {\n "State" : "1",\n "Type" : "CA",\n "Status" : "running",\n "Version" : "11.5.0-SNAPSHOT"\n }\n}'
Calling check <ipahealthcheck.meta.services.sssd object at 0x7fb98b0f54f0>
Starting external process
args=['/bin/systemctl', 'is-active', 'sssd.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.chronyd object at 0x7fb98b0f5490>
Starting external process
args=['/bin/systemctl', 'is-enabled', 'chronyd.service']
Process finished, return code=0
stdout=enabled

stderr=
Starting external process
args=['/bin/systemctl', 'is-active', 'chronyd.service']
Process finished, return code=0
stdout=active

stderr=
Calling check <ipahealthcheck.meta.services.smb object at 0x7fb98b0f5430>
server s1biok20idmp01.idm.semat.gov.sa does not run role ADTRUST
Calling check <ipahealthcheck.meta.services.winbind object at 0x7fb98b0f5250>
server s1biok20idmp01.idm.semat.gov.sa does not run role EXTID
Calling check <ipahealthcheck.ipa.certs.IPACertfileExpirationCheck object at 0x7fb98bb5b190>
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
The IPA token internal doesn't match the certmonger token NSS Certificate DB.
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Starting external process
args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
Process finished, return code=0
stdout=auditSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu

stderr=
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
The IPA token internal doesn't match the certmonger token NSS Certificate DB.
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Starting external process
args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'ocspSigningCert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
Process finished, return code=0
stdout=auditSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu

stderr=
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
The IPA token internal doesn't match the certmonger token NSS Certificate DB.
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Starting external process
args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'subsystemCert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
Process finished, return code=0
stdout=auditSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu

stderr=
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
The IPA token internal doesn't match the certmonger token NSS Certificate DB.
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Starting external process
args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'caSigningCert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
Process finished, return code=0
stdout=auditSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu

stderr=
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
The IPA token internal doesn't match the certmonger token NSS Certificate DB.
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Starting external process
args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'Server-Cert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
Process finished, return code=0
stdout=auditSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu

stderr=
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
The IPA token internal doesn't match the certmonger token NSS Certificate DB.
Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Starting external process
args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-IDM-SEMAT-GOV-SA', '-L', '-n', 'Server-Cert', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/dirsrv/slapd-IDM-SEMAT-GOV-SA/pwdfile.txt']
Process finished, return code=0
stdout=Server-Cert u,u,u
IDM.SEMAT.GOV.SA IPA CA CT,C,C

stderr=
SUCCESS: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072903
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072907: Request id 20240828072907: Unable to retrieve cert 'auditSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072908: Request id 20240828072908: Unable to retrieve cert 'ocspSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072909: Request id 20240828072909: Unable to retrieve cert 'subsystemCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072910: Request id 20240828072910: Unable to retrieve cert 'caSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072911: Request id 20240828072911: Unable to retrieve cert 'Server-Cert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072913: Request id 20240828072913: Unable to retrieve cert 'Server-Cert' from '/etc/dirsrv/slapd-IDM-SEMAT-GOV-SA': Unable to find certificate
SUCCESS: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072941
SUCCESS: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072946

@flo-renaud
Copy link
Contributor

flo-renaud commented Oct 21, 2024
edited
Loading

Hi,

the output is really strange because certutil -n nickname -a should display a certificate as ASCII, not the list of certs in the NSS database.
Can you provide the output of

# rpm -qa nss-tools

and

# dnf provides /usr/bin/certutil

@4gemenot
Copy link
Author

rpm -qa nss-tools
nss-tools-3.101.0-7.el9_2.x86_64

nss-tools-3.90.0-3.el9_2.x86_64 : Tools for the Network Security Services
Repo : rhel-9-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/bin/certutil

@rcritten
Copy link
Collaborator

I think this is the behavior when asking for a certificate that isn't on the provided token name, in this case NSS Certificate DB

Are you in FIPS mode?

Can you provide the output of: modutil -list -dbdir sql:/etc/pki/pki-tomcat/alias

@4gemenot
Copy link
Author

update-crypto-policies --show
FIPS:AD-SUPPORT

@rcritten
Copy link
Collaborator

fips-mode-setup --check

@4gemenot
Copy link
Author

Let me send it tomorrow. I have left my work area. Let me have all the commands I need to run to provide more information for the troubleshooting.

@rcritten
Copy link
Collaborator

Another question. Was IPA installed while the server as in FIPS mode or was it put into FIPS mode some time after installation completed? One way to tell is to look for "has FIPS mode enabled on this operating system." in /var/log/ipaserver-install.log

@4gemenot
Copy link
Author

modutil -list -dbdir sql:/etc/pki/pki-tomcat/alias

Listing of PKCS #11 Modules

  1. NSS Internal PKCS Use ipaplatform to determine service status #11 Module
    uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.101
    slots: 1 slot attached
    status: loaded

    slot: NSS FIPS 140-2 User Private Key Services
    token: NSS FIPS 140-2 Certificate DB
    uri: pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
    library name: p11-kit-proxy.so
    uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
    slots: There are no slots attached to this module
    status: loaded

fips-mode-setup --check
FIPS mode is enabled.

I think after installation, I did the FIPS mode.

ipaserver-install.log

@rcritten
Copy link
Collaborator

Any keys generated prior to putting a system into FIPS mode are not compliant.

What ipa-healthcheck is running into, and you'll probably see this when the certificates go to renew, is that certmonger thinks the keys are on the token "NSS Certificate DB" which is the non-FIPS NSS token. So I think that renewal will fail.

My recommendation would be to disable FIPS on this system. If FIPS is required then you'd unfortunately need to re-install IPA from scratch. Sorry to be the bearer of bad news.

I'll try to create a check to test for this condition and provide a more useful message.

@4gemenot
Copy link
Author

Is enabling the FIPS required for AD integration? Do you have a procedure for smoothly integrating the IDM into Microsoft AD?

@rcritten
Copy link
Collaborator

FIPS is not required for AD. For setup information I'd refer you to the IdM documentation on docs.redhat.com.

@rcritten
Copy link
Collaborator

Related upstream freeIPA ticket https://pagure.io/freeipa/issue/7423

@4gemenot
Copy link
Author

I saw the ticket. Can you also add a warning and not allow enabling the FIPS if IPA is already installed? It should give a warning or will not allow it.

@rcritten
Copy link
Collaborator

Not allowing FIPS to be enabled is something outside of our control. What we may also do, in addition to any new healthcheck test I add, is to prevent IPA from starting if it detects this situation. That decision is not finalized.

@4gemenot
Copy link
Author

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@4gemenot @rcritten @flo-renaud