Hi,
Certmonger can provide information related to the certificates it's tracking (stored in a file or in an NSS database). In your case, the certificate nickname is "transportCert cert-pki-kra", and to know where it's stored you can run the following command:
# getcert list -n 'transportCert cert-pki-kra' Number of certificates and requests being tracked: 12. Request ID '20220201080534': status: MONITORING stuck: no key pair storage: type=NSSDB,*location='/etc/pki/pki-tomcat/alias'*,nickname='transportCert cert-pki-kra',token='NSS Certificate DB',pin set certificate: type=NSSDB,*location='/etc/pki/pki-tomcat/alias'*,nickname='transportCert cert-pki-kra',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=KRA Transport Certificate,O=IPA.TEST issued: 2022-02-01 08:04:27 UTC expires: 2024-01-22 08:04:27 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caTransportCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "transportCert cert-pki-kra" track: yes auto-renew: yes
The above command shows that the certificate and the key are stored in /etc/pki/pki-tomcat/alias, which is a NSS database. In order to see the certificate details, you can use certutil command (-L for displaying the cert, -d for the NSS DB path, -n for the cert nickname): # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'transportCert cert-pki-kra' Certificate: Data: Version: 3 (0x2) Serial Number: 11 (0xb) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.TEST" Validity: Not Before: Tue Feb 01 08:04:27 2022 Not After : Mon Jan 22 08:04:27 2024 Subject: "CN=KRA Transport Certificate,O=IPA.TEST" [...]
If you want to see the output printed in ASCII format, simply add the -a option: # certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'transportCert cert-pki-kra' -a -----BEGIN CERTIFICATE----- MIID6zCCAlOgAwIBAgIBCzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu [...] KLVH0hPJY7vzphBJtKtPTuEjyxYLrU9eKHNe8e7XPBd8/nA2qDAYS08eLIHBlek= -----END CERTIFICATE-----
The ipa-healthcheck command compares the certificate with the value stored in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg in the directive ca.connector.KRA.transportCert. So you need to figure out which cert you want to keep and then make everything consistent (both servers should use the same 'transportCert cert-pki-kra'). How to figure out which one? Well, if both are valid, not revoked, any choice would work, you can pick the one with the furthest expiration date. If you need to manipulate the certs in the NSSDB, use the certutil command (with -D to remove a cert, -A to add a cert). Always make a backup of the directory /etc/pki/pki-tomcat/alias first, this way any certificate can be recovered in case of issues. You will need to restart PKI after changing the cert, with # systemctl restart pki-tomcatd@pki-tomcat
HTH, flo
On Mon, Jan 31, 2022 at 10:15 PM GH via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I've got two ancient (3.1?) IPA servers that have been upgraded over time. Last January things got really goofy with certificates and I got it all sorted. However, now I've got an old issue creeping back in. The 'transportCert cert-pki-kra' is mismatched between the CS.cfg and the tracked certificate. This is a multi-master setup. The signing master seems to be the one that's off. It's tracking the updated original 'transportCert cert-pki-kra' certificate. However, the "secondary" master is tracking a newly generated 'transportCert cert-pki-kra', which is also what both CS.cfg's are referencing. Neither one of the certificates is expired. Everything else seems to be in working order. Here is ipa-healthcheck's only relevant error:
"source": "ipahealthcheck.dogtag.ca", "kw": { "msg": "Certificate 'transportCert cert-pki-kra' does not match the
value of ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg", "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", "directive": "ca.connector.KRA.transportCert", "key": "transportCert cert-pki-kra" },
So, what should I copy where to get this sorted? It seems like the updated original 'transportCert cert-pki-kra' should be copied into the CS.cfg and then manually scp the NSS files from "primary" to "secondary"? What commands would you use to do this? I've got a lot of commands noted and am beginning to get confused as to which ones should be used to get this sorted. Thanks. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure