ipa --version
VERSION: 4.8.7
So I have no idea what actually happened, but today I cant login into freeipa webui.
There is 3 instances on 2 and 3rd I can login. Sync is on and working.
I noticed that in webui it shows that first certificate
CN=Certificate Authority,O=xx ipa REVOKED
Obviously I didint revoke it.
ipa-getcert list shows only two certificates and noone is master
getcert list shows more and
this is master cert as you can see server was installed ~2 years ago.
Request ID '20201218102240':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=xxx
subject: CN=Certificate Authority,O=xxx
expires: 2039-12-16 13:38:03 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
CN=localhost... :facepalm:
This is I guess new(not really) and probably this was tickint time bomb for quite some time.
Request ID '20210317111052':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.O4.LT
subject: CN=localhost
expires: 2041-03-17 11:11:01 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09"
track: yes
auto-renew: yes
I have bad feeling that it is because hosts file is not cleared from localhost entries?
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
ipa-healthcheck complainas about
this is SUBCA caSigningCert cert-pki-ca 86623fac-5d11-4ac6-9972-ea80ef16f711 not found, assuming 3rd party
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "a77e06d1-ee90-4574-8c68-750ec3f5d6bd",
"when": "20211124184538Z",
"duration": "0.366900",
"kw": {
"key": "20210317111052",
"dbdir": "/etc/pki/pki-tomcat/alias",
"nickname": "caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09",
"error": "Failed to get caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09",
"msg": "Unable to retrieve cert 'caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09' from '/etc/pki/pki-tomcat/alias': Failed to get caSigningCert cert-pki-ca bd372c7d-62d0-469d-a107-da3b5a782c09"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "ERROR",
"uuid": "c8e78e6d-794c-41cb-a12f-f57d0dda23d6",
"when": "20211124184538Z",
"duration": "0.416846",
"kw": {
"key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCer
t cert-pki-ca\", template-profile=caCACert",
"msg": "Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_c
a_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert"
}
},
and more
question how I can fix this?