2223942 – ipa-healtcheck: error in DogtagCertsConnectivityCheckCA with external CA

Bug 2223942 - ipa-healtcheck: error in DogtagCertsConnectivityCheckCA with external CA

Summary: ipa-healtcheck: error in DogtagCertsConnectivityCheckCA with external CA

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa-healthcheck
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	pre-dev-freeze
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Michal Polovka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2224595
TreeView+	depends on / blocked

Reported:	2023-07-19 11:06 UTC by Josep
Modified:	2023-08-17 11:06 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-healthcheck-0.12-3.module+el8.9.0+19634+c162f948
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2224595 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	freeipa freeipa-healthcheck issues 285	None	open	error when the IPA is intialised with an extern CA	2023-07-19 14:00:27 UTC
Red Hat Issue Tracker	FREEIPA-10165	None	None	None	2023-07-19 11:10:14 UTC
Red Hat Issue Tracker	RHELPLAN-162723	None	None	None	2023-07-19 11:10:19 UTC
Red Hat Knowledge Base (Solution)	7028256	None	None	None	2023-08-11 19:33:27 UTC

Description Josep 2023-07-19 11:06:27 UTC

Description of problem:
After upgrade to RHEL 8.8 ipa-healtcheck provide the following error: Request failed with status 404: Non-2xx response from CA REST API: 404.

Version-Release number of selected component (if applicable):
ipa-healtcheck-0.12.1

How reproducible:
Always

Steps to Reproduce:
1. Installing a new IdM server on RHEL 8.8
2. Upgrading from RHEL 8.6 to 8.8
3. Execute the ipa-healthcheck

Actual results:
ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x2200000015b79a298d0e4b3b11000000000015 not found (404)
ERROR: ipahealthcheck.dogtag.ca.DogtagCertsConnectivityCheck.cert_show_1: Serial number not found: Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x2200000015b79a298d0e4b3b11000000000015 not found (404)

Expected results:
The error should not be showed

Additional info:
It can be followed upstream in:
https://github.com/freeipa/freeipa-healthcheck/issues/285

This check will show in order to validate that a CA and RA works a well-known cert with serial number #1. The problem resides in the IPA CA Certificate was read to determine the serial number, and this doesn't work with externally issued certificates. This is our case, the well known-cert that tried to read is an externally issued one, and is not possible to find the number because is random.

Comment 1 Rob Crittenden 2023-07-19 14:00:28 UTC

Upstream PR: https://github.com/freeipa/freeipa-healthcheck/pull/286

Comment 2 Rob Crittenden 2023-07-21 15:29:55 UTC

Fixed upstream in: 29855ec76bcb445543e1f2b16b13e5bcfeb67723

Comment 3 Michal Polovka 2023-08-11 07:49:44 UTC

Pre-verified using RHEL8.9 machine with ipa-healthcheck-0.12-3.module+el8.9.0+19634+c162f948.noarch 


# python3 -m pytest -vvv tests/test_dogtag_connectivity.py 
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.3, pluggy-0.6.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /root/freeipa-healthcheck, inifile:
collected 4 items                                                                                                                                                                            

tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_cert_file_not_found PASSED                                                                                   [ 25%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_cert_not_found PASSED                                                                                        [ 50%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_down PASSED                                                                                                  [ 75%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_ok PASSED                                                                                                    [100%]

================================================================================== 4 passed in 0.30 seconds ==================================================================================


Marking as verified: tested.

Note You need to log in before you can comment on or make changes to this bug.