2224595 – ipa-healtcheck: error in DogtagCertsConnectivityCheckCA with external CA

Bug 2224595 - ipa-healtcheck: error in DogtagCertsConnectivityCheckCA with external CA

Summary: ipa-healtcheck: error in DogtagCertsConnectivityCheckCA with external CA

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa-healthcheck
Sub Component:
Version:	9.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Michal Polovka
Docs Contact:
URL:
Whiteboard:
Depends On:	2223942
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-21 15:31 UTC by Rob Crittenden
Modified:	2023-08-11 06:51 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-healthcheck-0.12-4.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2223942
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-10179	0	None	None	None	2023-07-21 15:31:41 UTC
Red Hat Issue Tracker	RHELPLAN-162986	0	None	None	None	2023-07-21 15:33:28 UTC

Description Rob Crittenden 2023-07-21 15:31:26 UTC

+++ This bug was initially created as a clone of Bug #2223942 +++

Description of problem:
After upgrade to RHEL 8.8 ipa-healtcheck provide the following error: Request failed with status 404: Non-2xx response from CA REST API: 404.

Version-Release number of selected component (if applicable):
ipa-healtcheck-0.12.1

How reproducible:
Always

Steps to Reproduce:
1. Installing a new IdM server on RHEL 8.8
2. Upgrading from RHEL 8.6 to 8.8
3. Execute the ipa-healthcheck

Actual results:
ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x2200000015b79a298d0e4b3b11000000000015 not found (404)
ERROR: ipahealthcheck.dogtag.ca.DogtagCertsConnectivityCheck.cert_show_1: Serial number not found: Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x2200000015b79a298d0e4b3b11000000000015 not found (404)

Expected results:
The error should not be showed

Additional info:
It can be followed upstream in:
https://github.com/freeipa/freeipa-healthcheck/issues/285

This check will show in order to validate that a CA and RA works a well-known cert with serial number #1. The problem resides in the IPA CA Certificate was read to determine the serial number, and this doesn't work with externally issued certificates. This is our case, the well known-cert that tried to read is an externally issued one, and is not possible to find the number because is random.

--- Additional comment from Rob Crittenden on 2023-07-19 14:00:28 UTC ---

Upstream PR: https://github.com/freeipa/freeipa-healthcheck/pull/286

--- Additional comment from Rob Crittenden on 2023-07-21 15:29:55 UTC ---

Fixed upstream in: 29855ec76bcb445543e1f2b16b13e5bcfeb67723

Comment 1 Michal Polovka 2023-08-02 09:48:02 UTC

Pre-verified using RHEL9.3 machine with ipa-healthcheck-0.12-4.el9.noarch

# python3 -m pytest tests/test_dogtag_ca.py  -vvv
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.17, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /root/freeipa-healthcheck
collected 3 items                                                                                                                                                                            

tests/test_dogtag_ca.py::TestCACerts::test_ca_certs_ok PASSED                                                                                                                          [ 33%]
tests/test_dogtag_ca.py::TestCACerts::test_cacert_caless PASSED                                                                                                                        [ 66%]
tests/test_dogtag_ca.py::TestCACerts::test_cert_missing_from_file PASSED    

Automation passed, marking as pre-verified: tested.

Comment 4 Michal Polovka 2023-08-11 06:51:06 UTC

Verified using RHEL9.3 machine with ipa-healthcheck-0.12-4.el9.noarch and automation from tests/test_dogtag_connectivity.py 

# python3 -m pytest -vvv tests/test_dogtag_connectivity.py 
==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.9.17, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /root/freeipa-healthcheck
collected 4 items                                                                                                                                                                            

tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_cert_file_not_found PASSED                                                                                   [ 25%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_cert_not_found PASSED                                                                                        [ 50%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_down PASSED                                                                                                  [ 75%]
tests/test_dogtag_connectivity.py::TestCAConnectivity::test_ca_connection_ok PASSED                                                                                                    [100%]

===================================================================================== 4 passed in 0.47s ======================================================================================

Marking as verified.

Note You need to log in before you can comment on or make changes to this bug.