Bug 2224595

Summary: ipa-healtcheck: error in DogtagCertsConnectivityCheckCA with external CA
Product: Red Hat Enterprise Linux 9 Reporter: Rob Crittenden <rcritten>
Component: ipa-healthcheckAssignee: Rob Crittenden <rcritten>
Status: VERIFIED --- QA Contact: Michal Polovka <mpolovka>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.2CC: davidsam, fcami, frenaud, ipa-qe, jfont
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-healthcheck-0.12-4.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2223942 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2223942    
Bug Blocks:    

Description Rob Crittenden 2023-07-21 15:31:26 UTC 
+++ This bug was initially created as a clone of Bug #2223942 +++

Description of problem:
After upgrade to RHEL 8.8 ipa-healtcheck provide the following error: Request failed with status 404: Non-2xx response from CA REST API: 404.

Version-Release number of selected component (if applicable):
ipa-healtcheck-0.12.1

How reproducible:
Always

Steps to Reproduce:
1. Installing a new IdM server on RHEL 8.8
2. Upgrading from RHEL 8.6 to 8.8
3. Execute the ipa-healthcheck

Actual results:
ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x2200000015b79a298d0e4b3b11000000000015 not found (404)
ERROR: ipahealthcheck.dogtag.ca.DogtagCertsConnectivityCheck.cert_show_1: Serial number not found: Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x2200000015b79a298d0e4b3b11000000000015 not found (404)

Expected results:
The error should not be showed

Additional info:
It can be followed upstream in:
https://github.com/freeipa/freeipa-healthcheck/issues/285

This check will show in order to validate that a CA and RA works a well-known cert with serial number #1. The problem resides in the IPA CA Certificate was read to determine the serial number, and this doesn't work with externally issued certificates. This is our case, the well known-cert that tried to read is an externally issued one, and is not possible to find the number because is random.

--- Additional comment from Rob Crittenden on 2023-07-19 14:00:28 UTC ---

Upstream PR: https://github.com/freeipa/freeipa-healthcheck/pull/286

--- Additional comment from Rob Crittenden on 2023-07-21 15:29:55 UTC ---

Fixed upstream in: 29855ec76bcb445543e1f2b16b13e5bcfeb67723
Comment 1 Michal Polovka 2023-08-02 09:48:02 UTC 
Pre-verified using RHEL9.3 machine with ipa-healthcheck-0.12-4.el9.noarch

# python3 -m pytest tests/test_dogtag_ca.py  -vvv
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.17, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /root/freeipa-healthcheck
collected 3 items                                                                                                                                                                            

tests/test_dogtag_ca.py::TestCACerts::test_ca_certs_ok PASSED                                                                                                                          [ 33%]
tests/test_dogtag_ca.py::TestCACerts::test_cacert_caless PASSED                                                                                                                        [ 66%]
tests/test_dogtag_ca.py::TestCACerts::test_cert_missing_from_file PASSED    

Automation passed, marking as pre-verified: tested.
Comment 4 Michal Polovka 2023-08-11 06:51:06 UTC 
Verified using RHEL9.3 machine with ipa-healthcheck-0.12-4.el9.noarch and automation from tests/test_dogtag_connectivity.py 

# python3 -m pytest -vvv tests/test_dogtag_connectivity.py 
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.17, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /root/freeipa-healthcheck
collected 4 items                                                                                                                                                                            

tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_cert_file_not_found PASSED                                                                                   [ 25%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_cert_not_found PASSED                                                                                        [ 50%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_down PASSED                                                                                                  [ 75%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_ok PASSED                                                                                                    [100%]

===================================================================================== 4 passed in 0.47s ======================================================================================

Marking as verified.