Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1983060

Summary: ipa-healthcheck complains about pki.server.healthcheck errors even CA is not configured on the replica.
Product: Red Hat Enterprise Linux 8 Reporter: Prasad Kulkarni <pkulkarn>
Component: ipa-healthcheckAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: bthekkep, mpolovka, ndehadra, pcech, pvoborni, sumenon
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-healthcheck-0.7-8.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 14:08:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Prasad Kulkarni 2021-07-16 11:13:19 UTC 
Description of problem:
ipa-healthcheck complains about pki.server.healthcheck errors, even CA is not configured on the replica.

Version-Release number of selected component (if applicable):
pki-server-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch
ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64

How reproducible: Always

Steps to Reproduce:

IPA server server3 IS NOT a IPA CA server but when I run ipa-healthcheck it complains about pki.server.healthcheck errors.

[root@server3 ~]# ipa-healthcheck --output-type=human --failures-only
CRITICAL: pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck: Invalid PKI instance: pki-tomcat

Expected results: ipa-healthcheck should not complain about pki.server.healthcheck errors when CA is not configured.


Additional info: Found this upstream ticket -
pki-healthcheck generates errors when dogtag is not deployed 
https://github.com/dogtagpki/pki/issues/3316
Comment 1 Rob Crittenden 2021-07-16 12:09:54 UTC 
Can you provide the package version of ipa-healthcheck?
Comment 2 Prasad Kulkarni 2021-07-16 14:13:46 UTC 
(In reply to Rob Crittenden from comment #1)
> Can you provide the package version of ipa-healthcheck?

Hello,

Here is the version of ipa-healthcheck

ipa-healthcheck-0.4-6.module+el8.3.0+7710+e2408ce4.noarch
ipa-healthcheck-core-0.4-6.module+el8.3.0+7710+e2408ce4.noarch
Comment 3 Rob Crittenden 2021-07-16 14:59:29 UTC 
This was fixed upstream in 0.9 with ticket https://github.com/freeipa/freeipa-healthcheck/issues/201

master: 970ffd3198851dc24a981e98ba09dd8a18f95d1e

Ideally PKI would not return errors if it isn't installed but they are not willing to do that. 
This change skips registration of the PKI healthchecks if a local CA is not installed as a workaround.

It is an invasive change that would require a full rewrite to fix in 0.4 but a backport to 0.7 is possible.
Comment 6 Michal Polovka 2022-01-06 16:35:39 UTC 
Pre-verified manually using ipa-healthcheck-0.7-7.module+el8.6.0+12936+736896b2.noarch on RHEL8.6 machine.

1. generate certificate for CA-less installation in /tmp/nssdb/server.p12
2. ipa-server-install --http-cert-file /tmp/nssdb/server.p12 --dirsrv-cert-file /tmp/nssdb/server.p12 --http-pin Secret123 --dirsrv-pin Secret123 --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 --no-pkinit -U
3. ipa-healthcheck --output-type=human --failures-only
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
CRITICAL: pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck: Invalid PKI instance: pki-tomcat
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._ldap.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.REDACTED: Expected SRV record missing

Original issue still present, therefore marking as failed pre-verification. Automation in progress.
Comment 7 Rob Crittenden 2022-01-06 16:38:41 UTC 
It's an issue with the backport. I think a one-liner to fix.
Comment 8 Rob Crittenden 2022-01-06 18:02:38 UTC 
Fixed. Also included fix to suppress a false positive for the CRLManager check if the CA is not configured.
Comment 11 Michal Polovka 2022-01-13 12:37:12 UTC 
Changing back to Assigned as the new build is not available in tests composes. Also moving ITM 20 -> 21 to give space to create new build.
Comment 12 Rob Crittenden 2022-01-13 14:15:15 UTC 
The state of the BZ is not related to the state of the build. The build is done and passed gating. It landing in a compose is out of my control.
Comment 13 Michal Polovka 2022-01-14 15:42:54 UTC 
Pre-verified manually on RHEL8.6 machine with the latest compose and ipa-healthcheck-0.7-8.module+el8.6.0+13764+6ba37dc8.noarch


1. generate certificate for CA-less installation in /tmp/nssdb/server.p12
2. ipa-server-install --http-cert-file /tmp/nssdb/server.p12 --dirsrv-cert-file /tmp/nssdb/server.p12 --http-pin Secret123 --dirsrv-pin Secret123 --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 --no-pkinit -U
3. ipa-healthcheck --output-type=human --failures-only
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._ldap._tcp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos._tcp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos._udp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master._udp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd._tcp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd._udp.REDACTED: Expected SRV record missing


Original issue fixed, marking as pre-verified: tested.
Comment 14 Michal Polovka 2022-01-17 14:05:46 UTC 
Verified manually (automation pending) using RHEL8.6 machine with ipa-healthcheck-0.7-8.module+el8.6.0+13764+6ba37dc8.noarch

1. generate certificate for CA-less installation in /tmp/nssdb/server.p12
2. ipa-server-install --http-cert-file /tmp/nssdb/server.p12 --dirsrv-cert-file /tmp/nssdb/server.p12 --http-pin Secret123 --dirsrv-pin Secret123 --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 --no-pkinit -U
3. ipa-healthcheck --output-type=human --failures-only
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._ldap._tcp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos._tcp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master._tcp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master._udp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd._tcp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd._udp.REDACTED.: Expected SRV record missing

Original issue not present, therefore marking as verified. Automation is pending.
Comment 18 errata-xmlrpc 2022-05-10 14:08:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884