Bug 2223942

Summary: ipa-healtcheck: error in DogtagCertsConnectivityCheckCA with external CA
Product: Red Hat Enterprise Linux 8 Reporter: Josep <jfont>
Component: ipa-healthcheckAssignee: Rob Crittenden <rcritten>
Status: MODIFIED --- QA Contact: Michal Polovka <mpolovka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: davidsam, fcami, frenaud, gkaihoro, jfont, mpolovka, rjeffman, vmishra
Target Milestone: pre-dev-freezeKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-healthcheck-0.12-3.module+el8.9.0+19634+c162f948 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2224595 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2224595    

Description Josep 2023-07-19 11:06:27 UTC 
Description of problem:
After upgrade to RHEL 8.8 ipa-healtcheck provide the following error: Request failed with status 404: Non-2xx response from CA REST API: 404.

Version-Release number of selected component (if applicable):
ipa-healtcheck-0.12.1

How reproducible:
Always

Steps to Reproduce:
1. Installing a new IdM server on RHEL 8.8
2. Upgrading from RHEL 8.6 to 8.8
3. Execute the ipa-healthcheck

Actual results:
ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x2200000015b79a298d0e4b3b11000000000015 not found (404)
ERROR: ipahealthcheck.dogtag.ca.DogtagCertsConnectivityCheck.cert_show_1: Serial number not found: Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x2200000015b79a298d0e4b3b11000000000015 not found (404)

Expected results:
The error should not be showed

Additional info:
It can be followed upstream in:
https://github.com/freeipa/freeipa-healthcheck/issues/285

This check will show in order to validate that a CA and RA works a well-known cert with serial number #1. The problem resides in the IPA CA Certificate was read to determine the serial number, and this doesn't work with externally issued certificates. This is our case, the well known-cert that tried to read is an externally issued one, and is not possible to find the number because is random.
Comment 1 Rob Crittenden 2023-07-19 14:00:28 UTC 
Upstream PR: https://github.com/freeipa/freeipa-healthcheck/pull/286
Comment 2 Rob Crittenden 2023-07-21 15:29:55 UTC 
Fixed upstream in: 29855ec76bcb445543e1f2b16b13e5bcfeb67723
Comment 3 Michal Polovka 2023-08-11 07:49:44 UTC 
Pre-verified using RHEL8.9 machine with ipa-healthcheck-0.12-3.module+el8.9.0+19634+c162f948.noarch 


# python3 -m pytest -vvv tests/test_dogtag_connectivity.py 
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.3, pluggy-0.6.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /root/freeipa-healthcheck, inifile:
collected 4 items                                                                                                                                                                            

tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_cert_file_not_found PASSED                                                                                   [ 25%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_cert_not_found PASSED                                                                                        [ 50%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_down PASSED                                                                                                  [ 75%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_ok PASSED                                                                                                    [100%]

================================================================================== 4 passed in 0.30 seconds ==================================================================================


Marking as verified: tested.