Hide Forgot
Description of problem: 'ipa-healthcheck --failures-only' when run on newly installed ipa-server lists ERROR for IPACertTracking check Version-Release number of selected component (if applicable): [root@master ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.2 Beta (Ootpa) [root@master ~]# rpm -q ipa-server ipa-server-4.8.2-1.module+el8.2.0+4697+7171660c.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA Server and ipa-healthcheck 2. Run ipa-healthcheck --failures-only 3. Check the results. Actual results: [root@master ~]# ipa-healthcheck --failures-only [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "1a21e9ab-6b88-40b1-a279-d5c4607e192a", "when": "20191119130346Z", "duration": "0.303834", "kw": { "msg": "Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCert cert-pki-ca\", template-profile=None" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "WARNING", "uuid": "486c5905-b00b-4b74-9250-c4ef00f7665d", "when": "20191119130346Z", "duration": "0.425676", "kw": { "key": "20191118100649", "msg": "Unknown certmonger id 20191118100649" } } ] Expected results: Logging this issue as bug, since the msg says that the tracking is missing for cert-database also there is a warning for unknown certmonger-id Additional info:
Reproduced, investigating.
Upstream issue https://github.com/freeipa/freeipa-healthcheck/issues/86
The set of certs to track is hardcoded in healthcheck and there are two problems in this: 1. The caSigningCert is duplicated, one with an empty template-profile and one with the caCACert profile. 2. There is an error in the second which adds the caCACert such that it will never get added. Drop this duplicated code and use the same call to retrieve the set of CA and KRA certs as the upgrade code.
https://github.com/freeipa/freeipa-healthcheck/pull/87
Fixed upstream: master: fb76216e534a0ec850357e6ed0daec3ba7a161f4
Steps to Reproduce: 1. Install IPA Server and ipa-healthcheck 2. Run ipa-healthcheck --failures-only 3. Check the results. Reproducer: [root@ci-vm-10-0-137-197 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.2 Beta (Ootpa) [root@ci-vm-10-0-137-197 ~]# rpm -q ipa-server ipa-healthcheck ipa-server-4.8.2-2.module+el8.2.0+4736+360582ce.x86_64 ipa-healthcheck-0.3-4.module+el8.1.0+4098+f286395e.noarch [root@ci-vm-10-0-137-197 ~]# ipa-healthcheck --failures-only [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "5736f224-0917-4f2f-9d80-b9a15f0e2d2f", "when": "20200224231758Z", "duration": "0.357015", "kw": { "msg": "Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCert cert-pki-ca\", template-profile=None" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "WARNING", "uuid": "aea24076-a986-47cc-b78f-c04172d3af10", "when": "20200224231758Z", "duration": "0.487280", "kw": { "key": "20200224225723", "msg": "Unknown certmonger id 20200224225723" } } ] [root@ci-vm-10-0-137-197 ~]# Fix: [root@master ~]# rpm -q ipa-server ipa-healthcheck ipa-server-4.8.4-6.module+el8.2.0+5773+68ace8c5.x86_64 ipa-healthcheck-0.4-4.module+el8.2.0+5489+95477d9f.noarch [root@master ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.2 Beta (Ootpa) [root@master ~]# [root@master ~]# ipa-healthcheck --failures-only Loading instance: pki-tomcat Loading global Tomcat config: /etc/tomcat/tomcat.conf Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf Loading password config: /etc/pki/pki-tomcat/password.conf Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat Loading subsystem: ca Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg Getting sslserver cert info for ca from CS.cfg Getting subsystem cert info for ca from CS.cfg Getting audit_signing cert info for ca from CS.cfg Getting ocsp_signing cert info for ca from CS.cfg Getting signing cert info for ca from CS.cfg [] Based on above observations marking Bugzilla verified.
upstream test case master: https://pagure.io/freeipa/c/3022bb5fd200ea3b22fb1600401e95aaee2006ea
ipa-4-8: https://pagure.io/freeipa/c/435e2bee19030756c8cdc3c809426bd2172c7ce5
Automated test passing in CI ------------------------------ Captured log call ------------------------------- transport.py 391 INFO RUN ['kinit', 'admin'] transport.py 513 DEBUG RUN ['kinit', 'admin'] transport.py 558 DEBUG Password for admin@TESTREALM.TEST: transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN ['ipa', 'domainlevel-get'] transport.py 513 DEBUG RUN ['ipa', 'domainlevel-get'] transport.py 558 DEBUG ----------------------- transport.py 558 DEBUG Current domain level: 1 transport.py 558 DEBUG ----------------------- transport.py 217 DEBUG Exit code: 0 transport.py 391 INFO RUN ['ipa-kra-install', '-U', '-p', 'Secret.123'] transport.py 513 DEBUG RUN ['ipa-kra-install', '-U', '-p', 'Secret.123'] transport.py 558 DEBUG /usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py:72: The SecurityDomainClient.get_security_domain_info() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). transport.py 558 DEBUG /usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py:85: The DomainInfo.systems has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). transport.py 558 DEBUG transport.py 558 DEBUG =================================================================== transport.py 558 DEBUG This program will setup Dogtag KRA for the IPA Server. transport.py 558 DEBUG transport.py 558 DEBUG transport.py 558 DEBUG Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes transport.py 558 DEBUG [1/10]: configuring KRA instance transport.py 558 DEBUG [2/10]: create KRA agent transport.py 558 DEBUG [3/10]: enabling ephemeral requests transport.py 558 DEBUG [4/10]: restarting KRA transport.py 558 DEBUG [5/10]: configure certmonger for renewals transport.py 558 DEBUG [6/10]: configure certificate renewals transport.py 558 DEBUG [7/10]: configure HTTP to proxy connections transport.py 558 DEBUG [8/10]: add vault container transport.py 558 DEBUG [9/10]: apply LDAP updates transport.py 558 DEBUG [10/10]: enabling KRA instance transport.py 558 DEBUG Done configuring KRA server (pki-tomcatd). transport.py 558 DEBUG Restarting the directory server transport.py 558 DEBUG The ipa-kra-install command was successful transport.py 217 DEBUG Exit code: 0 __init__.py 261 INFO Adding master.testrealm.test:/var/log/dirsrv/slapd-TESTREALM-TEST/errors to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/dirsrv/slapd-TESTREALM-TEST/access to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipaserver-install.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipaserver-uninstall.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipaclient-install.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipaclient-uninstall.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipareplica-install.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipareplica-conncheck.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipareplica-ca-install.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipaserver-kra-install.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipa-custodia.audit.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipaclient-uninstall.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/iparestore.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/ipabackup.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/kadmind.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/krb5kdc.log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/httpd/error_log to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/pki/ to list of logs to collect __init__.py 261 INFO Adding master.testrealm.test:/var/log/audit/audit.log to list of logs to collect transport.py 391 INFO RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only'] transport.py 513 DEBUG RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only'] transport.py 558 DEBUG Loading instance: pki-tomcat transport.py 558 DEBUG Loading global Tomcat config: /etc/tomcat/tomcat.conf transport.py 558 DEBUG Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf transport.py 558 DEBUG Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf transport.py 558 DEBUG Loading password config: /etc/pki/pki-tomcat/password.conf transport.py 558 DEBUG Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat transport.py 558 DEBUG Loading subsystem: ca transport.py 558 DEBUG Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg transport.py 558 DEBUG Loading subsystem: kra transport.py 558 DEBUG Loading subsystem config: /var/lib/pki/pki-tomcat/kra/conf/CS.cfg transport.py 558 DEBUG Getting sslserver cert info for ca from CS.cfg transport.py 558 DEBUG Getting subsystem cert info for ca from CS.cfg transport.py 558 DEBUG Getting audit_signing cert info for ca from CS.cfg transport.py 558 DEBUG Getting ocsp_signing cert info for ca from CS.cfg transport.py 558 DEBUG Getting signing cert info for ca from CS.cfg transport.py 558 DEBUG Getting transport cert info for kra from CS.cfg transport.py 558 DEBUG Getting storage cert info for kra from CS.cfg transport.py 558 DEBUG Getting audit_signing cert info for kra from CS.cfg transport.py 558 DEBUG [] transport.py 217 DEBUG Exit code: 0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1640