New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE] Check for certs in stuck status #123
Comments
I guess that if I didn't fix this problem then |
Thanks for the suggestion, I think this has value even if another check would eventually notice. |
Yes - the user gets a notification immediately rather than 28 days before expiry. |
In this particular case I guess I'm surprised that an issue about unexpected cert tracking and a missing cert wasn't raised since the pinfile wasn't included. I'll also look at that code, perhaps the pin isn't considered in that check. |
Dear, I also had an issue with "stuck" certificat. I stop-tracking this cert with ipa-getcert stop-tracking -i XXX. Then Start tracking them again with specifying password file. getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' -p /etc/pki/pki-tomcat/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C /usr/libexec/ipa/certmonger/renew_ca_cert 'caSigningCert cert-pki-ca' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -p /etc/pki/pki-tomcat/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C /usr/libexec/ipa/certmonger/renew_ca_cert 'auditSigningCert cert-pki-ca' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -p /etc/pki/pki-tomcat/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C /usr/libexec/ipa/certmonger/renew_ca_cert 'ocspSigningCert cert-pki-ca' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -p /etc/pki/pki-tomcat/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C /usr/libexec/ipa/certmonger/renew_ca_cert 'subsystemCert cert-pki-ca' After that, all the cert are in "MONITORING" status. Request ID '20200715122055': But I still have issue with ipa-healthcheck --failures-only --output-type human ERROR: ipahealthcheck.ipa.certs.IPACertTracking.cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca", template-profile=caSignedLogCert: Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca", template-profile=caSignedLogCert Anyone can help ? sudo journalctl -xe -t certmonger Jul 17 10:44:23 ipa2.example.com certmonger[1131]: 2020-07-17 10:44:23 [1993770] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. |
Your tracking is still not setup properly. You can try running ipa-server-upgrade which may well fix it. You'd need to use getcert list -i to see what those unknown certs are but in all likelihood they are the ones with bad tracking. |
@rcritten Thank you for your useful answer. It solves my issue. |
These may be caught already by other checks if the tracking is configured incorrectly but it's a belt-and-suspenders approach to ensure that the certificates have been issued properly. Fixes: freeipa#123 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
These may be caught already by other checks if the tracking is configured incorrectly but it's a belt-and-suspenders approach to ensure that the certificates have been issued properly. Fixes: #123 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
I noticed one of the certs on a CentOS 8 server got stuck:
ipahealthcheck.ipa.certs
doesn't complain about this. It would be useful if the module checked for thestuck
status of each certificate request.The text was updated successfully, but these errors were encountered: