running ipa-healthcheck --failures-only on newly installed ipa-server lists ERROR for IPACertfileExpirationCheck

[4gemenot]

I'm getting a list of unable to find certificate.

ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072907: Request id 20240828072907: Unable to retrieve cert 'auditSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072908: Request id 20240828072908: Unable to retrieve cert 'ocspSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072909: Request id 20240828072909: Unable to retrieve cert 'subsystemCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072910: Request id 20240828072910: Unable to retrieve cert 'caSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072911: Request id 20240828072911: Unable to retrieve cert 'Server-Cert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072913: Request id 20240828072913: Unable to retrieve cert 'Server-Cert' from '/etc/dirsrv/slapd-IDM-SEMAT-GOV-SA': Unable to find certificate

Running 'getcert list' all certificates show with status MONITORING,

[flo-renaud]

Can you provide the output of ipa-healthcheck --source ipahealthcheck.ipa.certs --check IPACertfileExpirationCheck --verbose --debug ?

[4gemenot]

[root@s1biok20idmp01 ~]# ipa-healthcheck --source ipahealthcheck.ipa.certs --check IPACertfileExpirationCheck --verbose --debug Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' httpd is configured kadmin is configured dirsrv is configured pki-tomcatd is configured install is not configured krb5kdc is configured named is configured filestore has files Reading Dogtag specific config values Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' httpd is configured kadmin is configured dirsrv is configured pki-tomcatd is configured install is not configured krb5kdc is configured named is configured filestore has files importing all plugin modules in ipaserver.plugins... importing plugin module ipaserver.plugins.aci importing plugin module ipaserver.plugins.automember importing plugin module ipaserver.plugins.automount importing plugin module ipaserver.plugins.baseldap ipaserver.plugins.baseldap is not a valid plugin module importing plugin module ipaserver.plugins.baseuser importing plugin module ipaserver.plugins.batch importing plugin module ipaserver.plugins.ca importing plugin module ipaserver.plugins.caacl importing plugin module ipaserver.plugins.cert importing plugin module ipaserver.plugins.certmap importing plugin module ipaserver.plugins.certprofile importing plugin module ipaserver.plugins.config importing plugin module ipaserver.plugins.delegation importing plugin module ipaserver.plugins.dns importing plugin module ipaserver.plugins.dnsserver importing plugin module ipaserver.plugins.dogtag importing plugin module ipaserver.plugins.domainlevel importing plugin module ipaserver.plugins.group importing plugin module ipaserver.plugins.hbac ipaserver.plugins.hbac is not a valid plugin module importing plugin module ipaserver.plugins.hbacrule importing plugin module ipaserver.plugins.hbacsvc importing plugin module ipaserver.plugins.hbacsvcgroup importing plugin module ipaserver.plugins.hbactest importing plugin module ipaserver.plugins.host importing plugin module ipaserver.plugins.hostgroup importing plugin module ipaserver.plugins.idp importing plugin module ipaserver.plugins.idrange importing plugin module ipaserver.plugins.idviews importing plugin module ipaserver.plugins.internal importing plugin module ipaserver.plugins.join importing plugin module ipaserver.plugins.krbtpolicy importing plugin module ipaserver.plugins.ldap2 importing plugin module ipaserver.plugins.location importing plugin module ipaserver.plugins.migration importing plugin module ipaserver.plugins.misc importing plugin module ipaserver.plugins.netgroup importing plugin module ipaserver.plugins.otp ipaserver.plugins.otp is not a valid plugin module importing plugin module ipaserver.plugins.otpconfig importing plugin module ipaserver.plugins.otptoken importing plugin module ipaserver.plugins.passkeyconfig importing plugin module ipaserver.plugins.passwd importing plugin module ipaserver.plugins.permission importing plugin module ipaserver.plugins.ping importing plugin module ipaserver.plugins.pkinit importing plugin module ipaserver.plugins.privilege importing plugin module ipaserver.plugins.pwpolicy importing plugin module ipaserver.plugins.rabase ipaserver.plugins.rabase is not a valid plugin module importing plugin module ipaserver.plugins.radiusproxy importing plugin module ipaserver.plugins.realmdomains importing plugin module ipaserver.plugins.role importing plugin module ipaserver.plugins.schema importing plugin module ipaserver.plugins.selfservice importing plugin module ipaserver.plugins.selinuxusermap importing plugin module ipaserver.plugins.server importing plugin module ipaserver.plugins.serverrole importing plugin module ipaserver.plugins.serverroles importing plugin module ipaserver.plugins.service importing plugin module ipaserver.plugins.servicedelegation importing plugin module ipaserver.plugins.session importing plugin module ipaserver.plugins.stageuser importing plugin module ipaserver.plugins.subid importing plugin module ipaserver.plugins.sudo ipaserver.plugins.sudo is not a valid plugin module importing plugin module ipaserver.plugins.sudocmd importing plugin module ipaserver.plugins.sudocmdgroup importing plugin module ipaserver.plugins.sudorule importing plugin module ipaserver.plugins.topology importing plugin module ipaserver.plugins.trust importing plugin module ipaserver.plugins.user importing plugin module ipaserver.plugins.vault importing plugin module ipaserver.plugins.virtual ipaserver.plugins.virtual is not a valid plugin module importing plugin module ipaserver.plugins.whoami importing plugin module ipaserver.plugins.xmlserver Created connection context.ldap2_140434900316608 Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' httpd is configured kadmin is configured dirsrv is configured pki-tomcatd is configured install is not configured krb5kdc is configured named is configured filestore has files Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' httpd is configured kadmin is configured dirsrv is configured pki-tomcatd is configured install is not configured krb5kdc is configured named is configured filestore has files Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Calling check <ipahealthcheck.meta.services.certmonger object at 0x7fb98b0ae6a0> Starting external process args=['/bin/systemctl', 'is-active', 'certmonger.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.dirsrv object at 0x7fb98b09dd00> Starting external process args=['/bin/systemctl', 'is-active', 'dirsrv@IDM-SEMAT-GOV-SA.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.gssproxy object at 0x7fb98b09d6a0> Starting external process args=['/bin/systemctl', 'is-active', 'gssproxy.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.httpd object at 0x7fb98b09d790> Starting external process args=['/bin/systemctl', 'is-active', 'httpd.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.ipa_custodia object at 0x7fb98b09d220> retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IDM-SEMAT-GOV-SA.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fb98bc62580> Starting external process args=['/bin/systemctl', 'is-active', 'ipa-custodia.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.ipa_otpd object at 0x7fb98b09d550> Starting external process args=['/bin/systemctl', 'is-active', 'ipa-otpd.socket'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.kadmin object at 0x7fb98b087190> Starting external process args=['/bin/systemctl', 'is-active', 'kadmin.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.krb5kdc object at 0x7fb98b087c10> Starting external process args=['/bin/systemctl', 'is-active', 'krb5kdc.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.named object at 0x7fb98b087d30> Starting external process args=['/bin/systemctl', 'is-active', 'named.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.ods_enforcerd object at 0x7fb98b087e50> server s1biok20idmp01.idm.semat.gov.sa does not run role DNSSEC Calling check <ipahealthcheck.meta.services.ipa_dnskeysyncd object at 0x7fb98b087fa0> Starting external process args=['/bin/systemctl', 'is-active', 'ipa-dnskeysyncd.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.pki_tomcatd object at 0x7fb98b087730> request POST http://s1biok20idmp01.idm.semat.gov.sa:8080/ca/admin/ca/getStatus request body '' response status 200 response headers Content-Type: application/json Content-Length: 122 Date: Sun, 20 Oct 2024 05:51:03 GMT

response body (decoded): b'{\n "Response" : {\n "State" : "1",\n "Type" : "CA",\n "Status" : "running",\n "Version" : "11.5.0-SNAPSHOT"\n }\n}' Calling check <ipahealthcheck.meta.services.sssd object at 0x7fb98b0f54f0> Starting external process args=['/bin/systemctl', 'is-active', 'sssd.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.chronyd object at 0x7fb98b0f5490> Starting external process args=['/bin/systemctl', 'is-enabled', 'chronyd.service'] Process finished, return code=0 stdout=enabled

stderr= Starting external process args=['/bin/systemctl', 'is-active', 'chronyd.service'] Process finished, return code=0 stdout=active

stderr= Calling check <ipahealthcheck.meta.services.smb object at 0x7fb98b0f5430> server s1biok20idmp01.idm.semat.gov.sa does not run role ADTRUST Calling check <ipahealthcheck.meta.services.winbind object at 0x7fb98b0f5250> server s1biok20idmp01.idm.semat.gov.sa does not run role EXTID Calling check <ipahealthcheck.ipa.certs.IPACertfileExpirationCheck object at 0x7fb98bb5b190> Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' The IPA token internal doesn't match the certmonger token NSS Certificate DB. Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Starting external process args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] Process finished, return code=0 stdout=auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu

stderr= Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' The IPA token internal doesn't match the certmonger token NSS Certificate DB. Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Starting external process args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'ocspSigningCert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] Process finished, return code=0 stdout=auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu

stderr= Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' The IPA token internal doesn't match the certmonger token NSS Certificate DB. Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Starting external process args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'subsystemCert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] Process finished, return code=0 stdout=auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu

stderr= Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' The IPA token internal doesn't match the certmonger token NSS Certificate DB. Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Starting external process args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'caSigningCert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] Process finished, return code=0 stdout=auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu

stderr= Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' The IPA token internal doesn't match the certmonger token NSS Certificate DB. Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Starting external process args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'Server-Cert cert-pki-ca', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] Process finished, return code=0 stdout=auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu

stderr= Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' The IPA token internal doesn't match the certmonger token NSS Certificate DB. Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Starting external process args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-IDM-SEMAT-GOV-SA', '-L', '-n', 'Server-Cert', '-a', '-h', 'NSS Certificate DB', '-f', '/etc/dirsrv/slapd-IDM-SEMAT-GOV-SA/pwdfile.txt'] Process finished, return code=0 stdout=Server-Cert u,u,u IDM.SEMAT.GOV.SA IPA CA CT,C,C

stderr= SUCCESS: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072903 ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072907: Request id 20240828072907: Unable to retrieve cert 'auditSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072908: Request id 20240828072908: Unable to retrieve cert 'ocspSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072909: Request id 20240828072909: Unable to retrieve cert 'subsystemCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072910: Request id 20240828072910: Unable to retrieve cert 'caSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072911: Request id 20240828072911: Unable to retrieve cert 'Server-Cert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072913: Request id 20240828072913: Unable to retrieve cert 'Server-Cert' from '/etc/dirsrv/slapd-IDM-SEMAT-GOV-SA': Unable to find certificate SUCCESS: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072941 SUCCESS: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072946

[flo-renaud]

Hi,

the output is really strange because certutil -n nickname -a should display a certificate as ASCII, not the list of certs in the NSS database. Can you provide the output of

# rpm -qa nss-tools

and

# dnf provides /usr/bin/certutil

[4gemenot]

rpm -qa nss-tools nss-tools-3.101.0-7.el9_2.x86_64

nss-tools-3.90.0-3.el9_2.x86_64 : Tools for the Network Security Services Repo : rhel-9-for-x86_64-appstream-rpms Matched from: Filename : /usr/bin/certutil

[rcritten]

I think this is the behavior when asking for a certificate that isn't on the provided token name, in this case NSS Certificate DB

Are you in FIPS mode?

Can you provide the output of: modutil -list -dbdir sql:/etc/pki/pki-tomcat/alias

[4gemenot]

update-crypto-policies --show FIPS:AD-SUPPORT

[rcritten]

fips-mode-setup --check

[4gemenot]

Let me send it tomorrow. I have left my work area. Let me have all the commands I need to run to provide more information for the troubleshooting.

[rcritten]

Another question. Was IPA installed while the server as in FIPS mode or was it put into FIPS mode some time after installation completed? One way to tell is to look for "has FIPS mode enabled on this operating system." in /var/log/ipaserver-install.log

[4gemenot]

modutil -list -dbdir sql:/etc/pki/pki-tomcat/alias

Listing of PKCS #11 Modules

1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.101 slots: 1 slot attached status: loaded

   slot: NSS FIPS 140-2 User Private Key Services token: NSS FIPS 140-2 Certificate DB uri: pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

2. p11-kit-proxy library name: p11-kit-proxy.so uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 slots: There are no slots attached to this module status: loaded

   fips-mode-setup --check FIPS mode is enabled.

   I think after installation, I did the FIPS mode.

ipaserver-install.log

[rcritten]

Any keys generated prior to putting a system into FIPS mode are not compliant.

What ipa-healthcheck is running into, and you'll probably see this when the certificates go to renew, is that certmonger thinks the keys are on the token "NSS Certificate DB" which is the non-FIPS NSS token. So I think that renewal will fail.

My recommendation would be to disable FIPS on this system. If FIPS is required then you'd unfortunately need to re-install IPA from scratch. Sorry to be the bearer of bad news.

I'll try to create a check to test for this condition and provide a more useful message.

[4gemenot]

Is enabling the FIPS required for AD integration? Do you have a procedure for smoothly integrating the IDM into Microsoft AD?

[rcritten]

FIPS is not required for AD. For setup information I'd refer you to the IdM documentation on docs.redhat.com.

[rcritten]

Related upstream freeIPA ticket https://pagure.io/freeipa/issue/7423

[4gemenot]

I saw the ticket. Can you also add a warning and not allow enabling the FIPS if IPA is already installed? It should give a warning or will not allow it.

[rcritten]

Not allowing FIPS to be enabled is something outside of our control. What we may also do, in addition to any new healthcheck test I add, is to prevent IPA from starting if it detects this situation. That decision is not finalized.

[4gemenot]

Thank you.