There have been several cases where IPA customers have had to handle expired system or RA certificates by manually moving the system time back and attempting to renew using certmonger. Sometimes it seems that system users and agents do not have their certs updated.
It would be nice to have a tool (pki-server healthcheck) that determines whether the : -- system certs are valid -- system users exist -- system users have the right certificates -- agents have the right unexpired certificates
This maybe could/should be an IPA ticket (in that certmonger would need to be updated), but there are some aspects here which would need to be done by dogtag tools (ie. pki-server)
This would a tremendous help to customers and the community.
Per discussions with alee: 10.4
The following additional functionality specified in PKI TRAC TIcket #1712 - Running SystemCertsVerification from CLIshould be merged into this tool:
Currently the SystemCertsVerification can only be executed by starting up the server. To simplify troubleshooting issues with system certificates (e.g. ticket #1697) it would be nice to refactor the code such that the selftest can also be executed as a standalone program, for example: $ pki-server ca-selftest-run The CLI will be easier to connect to a debugger and the scope of the investigation will be much smaller.
Per Offline Triage of 11/30/2016-12/01/2016: 10.4 - critical
Metadata Update from @vakwetu: - Issue set to the milestone: 10.4
Per PKI Bug Council of 04/05/2017: 10.5
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None - Issue set to the milestone: 10.5 (was: 10.4)
Metadata Update from @mharmsen: - Issue priority set to: major (was: critical) - Issue set to the milestone: FUTURE (was: 10.5)
Closing this ticket as a duplicate.
We have addressed many of these issues in a health check tool on the IPA side, and in the offline renewal tool on the Dogtag side.
Metadata Update from @vakwetu: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.2 (was: FUTURE)
Reopening this (because no duplicate BZ could be found for this ticket's corresponding BZ).
We will now treat this as a tracker ticket. Please reference any related/subordinate tickets in the blockedby field.
blockedby
Metadata Update from @ftweedal: - Issue status updated to: Open (was: Closed)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.5.2)
Metadata Update from @mharmsen: - Issue assigned to vakwetu
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 10.5)
Per 10.5.x/10.6 Triage: 10.6
Metadata Update from @mharmsen: - Issue assigned to dmoluguw (was: vakwetu)
An initial framework has been designed and implemented via PR: https://github.com/dogtagpki/pki/pull/301
More healthchecks will be added as part of separte PR. I'll keep this ticket open at least until the healthchecks described in the description are addressed.
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2371
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.