Bug 1871188

Summary: HealthCheck for KRA certs failed.
Product: Red Hat Enterprise Linux 8 Reporter: Kaleem <ksiddiqu>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED DUPLICATE QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: dmoluguw, rcritten
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-21 15:33:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaleem 2020-08-21 14:16:37 UTC 
Description of problem:

healthcheck for KRA sslserver/subsystem certs failing.

[root@master ~]# ipa-healthcheck --output-type json --failures-only
[
  {
    "source": "pki.server.healthcheck.meta.csconfig",
    "check": "KRADogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "b7fdb770-6c7d-4275-ab9a-6a928ce5966a",
    "when": "20200821131201Z",
    "duration": "0.053942",
    "kw": {
      "key": "kra_sslserver",
      "nickname": "Server-Cert cert-pki-ca",
      "directive": "kra.sslserver.cert",
      "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
      "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
    }
  },
  {
    "source": "pki.server.healthcheck.meta.csconfig",
    "check": "KRADogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "c5c9a5c0-9972-4dd6-a879-1ecd22284398",
    "when": "20200821131201Z",
    "duration": "0.099739",
    "kw": {
      "key": "kra_subsystem",
      "nickname": "subsystemCert cert-pki-ca",
      "directive": "kra.subsystem.cert",
      "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
      "msg": "Certificate 'subsystemCert cert-pki-ca' does not match the value of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
    }
  }
]
[root@master ~]# 

Version-Release number of selected component (if applicable):
[root@master ~]# rpm -q ipa-server ipa-healthcheck
ipa-server-4.8.7-9.module+el8.3.0+7664+fa35cfe6.x86_64
ipa-healthcheck-0.4-4.module+el8.2.0+5489+95477d9f.noarch
[root@master ~]#

How reproducible:
Always

Steps to Reproduce:
1. Install KAR on IPA Server.
2. Run ipa-healthcheck 
3.

Actual results:
Checks for KRA certs failed

Expected results:
Checks for KRA certs should not fail

Additional info:
Comment 1 Dinesh Prasanth 2020-08-21 15:33:12 UTC 

*** This bug has been marked as a duplicate of bug 1869893 ***
Comment 2 Dinesh Prasanth 2020-08-21 15:38:26 UTC 
There is a side effect of some recent change that is preventing from
storing the value of certs in KRA's CS.cfg... This was an unintended 
change. So, the pki-healthcheck is correctly reporting the error. We
made some initial investigation on this and reported it in the related
BZ #1869893. Marking this as a DUPLICATE.