error when the IPA is intialised with an extern CA

[m3xiz]

At installation time, IPA provided a certificate request and this one is signed by an external CA. The heakthcheck is producing this output: ra.get_certificate(): Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6596a821b68c5857 not found (404) [ { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConnectivityCheck", "result": "ERROR", "uuid": "68600eea-1f78-4628-95f2-b3a5a8a4f8db", "when": "20230308105921Z", "duration": "0.165748", "kw": { "key": "cert_show_1", "error": "Certificate operation cannot be completed: Request failed with status 404: Non-2xx response from CA REST API: 404. Certificate ID 0x6596a821b68c5857 not found (404)", "serial": "7320223107087358039", "msg": "Serial number not found: {error}" } } ]

The missing certificate is the sub CA signed by the external CA. I believe this is not an error and this message should not be raised. The error is reproducable.

[flo-renaud]

Hi @m3xiz I was also able to reproduce the issue with the following packages: dogtag-pki-base-11.2.0-2.fc37.noarch freeipa-server-4.10.1-1.fc37.x86_64 freeipa-healthcheck-0.12-1.fc37.noarch

The code is internally calling a command equivalent to ipa cert-show <serial for IPA CA>, which ends up calling PKI rest API (GET /ca/rest/certs/<serial>) and PKI returns an error Certificate ID <serial> not found. We would need to check with PKI team if IPA CA should be visible through this call even when it's an externally-signed CA.

[rcritten]

It pulls the serial number of the root CA and tries to do a cert-show which will likely fail, or worse be a false positive, as the certificate doesn't exist in the local CA because it was issued externally.

I think we should just skip this check when the CA issuer doesn't match the subject, as suggested.

[rcritten]

https://github.com/freeipa/freeipa-healthcheck/pull/286