-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error when the IPA is intialised with an extern CA #285
Comments
Hi @m3xiz The code is internally calling a command equivalent to |
It pulls the serial number of the root CA and tries to do a cert-show which will likely fail, or worse be a false positive, as the certificate doesn't exist in the local CA because it was issued externally. I think we should just skip this check when the CA issuer doesn't match the subject, as suggested. |
The serial number of externally-signed CA's were being checked using ipa-cert-find which invariably would return a not found error. Instead return SUCCESS to effectively skip the check. Fixes: freeipa#285 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
The purpose of the check is to validate that communication with the CA works. In the past we looked up serial number 1 for this check. The problem is that if the server was installed with RSNv3 so had no predictable CA serial number. It also was broken with externally-issued CA certificate which cannot be looked up in IPA. Instead use the IPA RA agent certificate which should definitely have a serial number in the IPA CA if one is configured. Fixes: freeipa#285 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
The purpose of the check is to validate that communication with the CA works. In the past we looked up serial number 1 for this check. The problem is that if the server was installed with RSNv3 so had no predictable CA serial number. It also was broken with externally-issued CA certificate which cannot be looked up in IPA. Instead use the IPA RA agent certificate which should definitely have a serial number in the IPA CA if one is configured. Fixes: freeipa#285 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
The purpose of the check is to validate that communication with the CA works. In the past we looked up serial number 1 for this check. The problem is that if the server was installed with RSNv3 so had no predictable CA serial number. It also was broken with externally-issued CA certificate which cannot be looked up in IPA. Instead use the IPA RA agent certificate which should definitely have a serial number in the IPA CA if one is configured. Fixes: #285 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
At installation time, IPA provided a certificate request and this one is signed by an external CA.
The heakthcheck is producing this output:
ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6596a821b68c5857 not found (404)
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "68600eea-1f78-4628-95f2-b3a5a8a4f8db",
"when": "20230308105921Z",
"duration": "0.165748",
"kw": {
"key": "cert_show_1",
"error": "Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6596a821b68c5857 not found (404)",
"serial": "7320223107087358039",
"msg": "Serial number not found: {error}"
}
}
]
The missing certificate is the sub CA signed by the external CA. I believe this is not an error and this message should not be raised. The error is reproducable.
The text was updated successfully, but these errors were encountered: