Hi,

Certmonger can provide information related to the certificates it's tracking (stored in a file or in an NSS database). In your case, the certificate nickname is "transportCert cert-pki-kra", and to know where it's stored you can run the following command:

# getcert list -n 'transportCert cert-pki-kra'
Number of certificates and requests being tracked: 12.
Request ID '20220201080534':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='transportCert cert-pki-kra',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='transportCert cert-pki-kra',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.TEST
subject: CN=KRA Transport Certificate,O=IPA.TEST
issued: 2022-02-01 08:04:27 UTC
expires: 2024-01-22 08:04:27 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caTransportCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "transportCert cert-pki-kra"
track: yes
auto-renew: yes

The above command shows that the certificate and the key are stored in /etc/pki/pki-tomcat/alias, which is a NSS database. In order to see the certificate details, you can use certutil command (-L for displaying the cert, -d for the NSS DB path, -n for the cert nickname):
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'transportCert cert-pki-kra'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=IPA.TEST"
        Validity:
            Not Before: Tue Feb 01 08:04:27 2022
            Not After : Mon Jan 22 08:04:27 2024
        Subject: "CN=KRA Transport Certificate,O=IPA.TEST"
[...]

If you want to see the output printed in ASCII format, simply add the -a option:
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'transportCert cert-pki-kra' -a
-----BEGIN CERTIFICATE-----
MIID6zCCAlOgAwIBAgIBCzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
[...]
KLVH0hPJY7vzphBJtKtPTuEjyxYLrU9eKHNe8e7XPBd8/nA2qDAYS08eLIHBlek=
-----END CERTIFICATE-----

The ipa-healthcheck command compares the certificate with the value stored in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg in the directive ca.connector.KRA.transportCert.
So you need to figure out which cert you want to keep and then make everything consistent (both servers should use the same 'transportCert cert-pki-kra'). How to figure out which one? Well, if both are valid, not revoked, any choice would work, you can pick the one with the furthest expiration date.
If you need to manipulate the certs in the NSSDB, use the certutil command (with -D to remove a cert, -A to add a cert). Always make a backup of the directory /etc/pki/pki-tomcat/alias first, this way any certificate can be recovered in case of issues. You will need to restart PKI after changing the cert, with # systemctl restart pki-tomcatd@pki-tomcat

HTH,
flo

On Mon, Jan 31, 2022 at 10:15 PM GH via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
I've got two ancient (3.1?) IPA servers that have been upgraded over time.  Last January things got really goofy with certificates and I got it all sorted.  However, now I've got an old issue creeping back in.  The 'transportCert cert-pki-kra' is mismatched between the CS.cfg and the tracked certificate.  This is a multi-master setup.  The signing master seems to be the one that's off.  It's tracking the updated original 'transportCert cert-pki-kra' certificate.  However, the "secondary" master is tracking a newly generated 'transportCert cert-pki-kra', which is also what both CS.cfg's are referencing.  Neither one of the certificates is expired.  Everything else seems to be in working order.  Here is ipa-healthcheck's only relevant error:

    "source": "ipahealthcheck.dogtag.ca",
    "kw": {
      "msg": "Certificate 'transportCert cert-pki-kra' does not match the value of ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
      "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
      "directive": "ca.connector.KRA.transportCert",
      "key": "transportCert cert-pki-kra"
    },

So, what should I copy where to get this sorted?  It seems like the updated original 'transportCert cert-pki-kra' should be copied into the CS.cfg and then manually scp the NSS files from "primary" to "secondary"?  What commands would you use to do this?  I've got a lot of commands noted and am beginning to get confused as to which ones should be used to get this sorted.  Thanks.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure