1983060 – ipa-healthcheck complains about pki.server.healthcheck errors even CA is not configured on the replica.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1983060 - ipa-healthcheck complains about pki.server.healthcheck errors even CA is not configured on the replica.

Summary: ipa-healthcheck complains about pki.server.healthcheck errors even CA is not ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa-healthcheck
Sub Component:
Version:	8.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-16 11:13 UTC by Prasad Kulkarni
Modified:	2022-06-16 08:50 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-healthcheck-0.7-8.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-10 14:08:44 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7046	0	None	None	None	2021-10-06 22:22:35 UTC
Red Hat Product Errata	RHEA-2022:1884	0	None	None	None	2022-05-10 14:09:05 UTC

Description Prasad Kulkarni 2021-07-16 11:13:19 UTC

Description of problem:
ipa-healthcheck complains about pki.server.healthcheck errors, even CA is not configured on the replica.

Version-Release number of selected component (if applicable):
pki-server-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch
ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64

How reproducible: Always

Steps to Reproduce:

IPA server server3 IS NOT a IPA CA server but when I run ipa-healthcheck it complains about pki.server.healthcheck errors.

[root@server3 ~]# ipa-healthcheck --output-type=human --failures-only
CRITICAL: pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck: Invalid PKI instance: pki-tomcat

Expected results: ipa-healthcheck should not complain about pki.server.healthcheck errors when CA is not configured.


Additional info: Found this upstream ticket -
pki-healthcheck generates errors when dogtag is not deployed 
https://github.com/dogtagpki/pki/issues/3316

Comment 1 Rob Crittenden 2021-07-16 12:09:54 UTC

Can you provide the package version of ipa-healthcheck?

Comment 2 Prasad Kulkarni 2021-07-16 14:13:46 UTC

(In reply to Rob Crittenden from comment #1)
> Can you provide the package version of ipa-healthcheck?

Hello,

Here is the version of ipa-healthcheck

ipa-healthcheck-0.4-6.module+el8.3.0+7710+e2408ce4.noarch
ipa-healthcheck-core-0.4-6.module+el8.3.0+7710+e2408ce4.noarch

Comment 3 Rob Crittenden 2021-07-16 14:59:29 UTC

This was fixed upstream in 0.9 with ticket https://github.com/freeipa/freeipa-healthcheck/issues/201

master: 970ffd3198851dc24a981e98ba09dd8a18f95d1e

Ideally PKI would not return errors if it isn't installed but they are not willing to do that. 
This change skips registration of the PKI healthchecks if a local CA is not installed as a workaround.

It is an invasive change that would require a full rewrite to fix in 0.4 but a backport to 0.7 is possible.

Comment 6 Michal Polovka 2022-01-06 16:35:39 UTC

Pre-verified manually using ipa-healthcheck-0.7-7.module+el8.6.0+12936+736896b2.noarch on RHEL8.6 machine.

1. generate certificate for CA-less installation in /tmp/nssdb/server.p12
2. ipa-server-install --http-cert-file /tmp/nssdb/server.p12 --dirsrv-cert-file /tmp/nssdb/server.p12 --http-pin Secret123 --dirsrv-pin Secret123 --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 --no-pkinit -U
3. ipa-healthcheck --output-type=human --failures-only
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
CRITICAL: pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck: Invalid PKI instance: pki-tomcat
CRITICAL: pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck: Invalid PKI instance: pki-tomcat
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._ldap.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd.REDACTED: Expected SRV record missing

Original issue still present, therefore marking as failed pre-verification. Automation in progress.

Comment 7 Rob Crittenden 2022-01-06 16:38:41 UTC

It's an issue with the backport. I think a one-liner to fix.

Comment 8 Rob Crittenden 2022-01-06 18:02:38 UTC

Fixed. Also included fix to suppress a false positive for the CRLManager check if the CA is not configured.

Comment 11 Michal Polovka 2022-01-13 12:37:12 UTC

Changing back to Assigned as the new build is not available in tests composes. Also moving ITM 20 -> 21 to give space to create new build.

Comment 12 Rob Crittenden 2022-01-13 14:15:15 UTC

The state of the BZ is not related to the state of the build. The build is done and passed gating. It landing in a compose is out of my control.

Comment 13 Michal Polovka 2022-01-14 15:42:54 UTC

Pre-verified manually on RHEL8.6 machine with the latest compose and ipa-healthcheck-0.7-8.module+el8.6.0+13764+6ba37dc8.noarch


1. generate certificate for CA-less installation in /tmp/nssdb/server.p12
2. ipa-server-install --http-cert-file /tmp/nssdb/server.p12 --dirsrv-cert-file /tmp/nssdb/server.p12 --http-pin Secret123 --dirsrv-pin Secret123 --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 --no-pkinit -U
3. ipa-healthcheck --output-type=human --failures-only
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._ldap._tcp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos._tcp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos._udp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master._udp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd._tcp.REDACTED: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd._udp.REDACTED: Expected SRV record missing


Original issue fixed, marking as pre-verified: tested.

Comment 14 Michal Polovka 2022-01-17 14:05:46 UTC

Verified manually (automation pending) using RHEL8.6 machine with ipa-healthcheck-0.7-8.module+el8.6.0+13764+6ba37dc8.noarch

1. generate certificate for CA-less installation in /tmp/nssdb/server.p12
2. ipa-server-install --http-cert-file /tmp/nssdb/server.p12 --dirsrv-cert-file /tmp/nssdb/server.p12 --http-pin Secret123 --dirsrv-pin Secret123 --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 --no-pkinit -U
3. ipa-healthcheck --output-type=human --failures-only
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
Unhandler rdtype 256
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._ldap._tcp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos._tcp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master._tcp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kerberos-master._udp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd._tcp.REDACTED.: Expected SRV record missing
WARNING: ipahealthcheck.ipa.idns.IPADNSSystemRecordsCheck._kpasswd._udp.REDACTED.: Expected SRV record missing

Original issue not present, therefore marking as verified. Automation is pending.

Comment 18 errata-xmlrpc 2022-05-10 14:08:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884

Note You need to log in before you can comment on or make changes to this bug.