error when the IPA is intialised with an extern CA #285
Comments
|
Hi @m3xiz The code is internally calling a command equivalent to |
|
It pulls the serial number of the root CA and tries to do a cert-show which will likely fail, or worse be a false positive, as the certificate doesn't exist in the local CA because it was issued externally. I think we should just skip this check when the CA issuer doesn't match the subject, as suggested. |
The serial number of externally-signed CA's were being checked using ipa-cert-find which invariably would return a not found error. Instead return SUCCESS to effectively skip the check. Fixes: freeipa#285 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
The purpose of the check is to validate that communication with the CA works. In the past we looked up serial number 1 for this check. The problem is that if the server was installed with RSNv3 so had no predictable CA serial number. It also was broken with externally-issued CA certificate which cannot be looked up in IPA. Instead use the IPA RA agent certificate which should definitely have a serial number in the IPA CA if one is configured. Fixes: freeipa#285 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
The purpose of the check is to validate that communication with the CA works. In the past we looked up serial number 1 for this check. The problem is that if the server was installed with RSNv3 so had no predictable CA serial number. It also was broken with externally-issued CA certificate which cannot be looked up in IPA. Instead use the IPA RA agent certificate which should definitely have a serial number in the IPA CA if one is configured. Fixes: freeipa#285 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
The purpose of the check is to validate that communication with the CA works. In the past we looked up serial number 1 for this check. The problem is that if the server was installed with RSNv3 so had no predictable CA serial number. It also was broken with externally-issued CA certificate which cannot be looked up in IPA. Instead use the IPA RA agent certificate which should definitely have a serial number in the IPA CA if one is configured. Fixes: #285 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
At installation time, IPA provided a certificate request and this one is signed by an external CA.
The heakthcheck is producing this output:
ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6596a821b68c5857 not found (404)
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "68600eea-1f78-4628-95f2-b3a5a8a4f8db",
"when": "20230308105921Z",
"duration": "0.165748",
"kw": {
"key": "cert_show_1",
"error": "Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6596a821b68c5857 not found (404)",
"serial": "7320223107087358039",
"msg": "Serial number not found: {error}"
}
}
]
The missing certificate is the sub CA signed by the external CA. I believe this is not an error and this message should not be raised. The error is reproducable.
The text was updated successfully, but these errors were encountered: