ipa-certupdate is modifying the certmonger tracking by dropping the profile from the 'caSigningCert cert-pki-ca' certmonger configuration.
ipa-server-install
ipa-healthcheck
ipa-certupdate
[ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "06fc99e8-037c-49ed-bd97-9703c82e1b04", "when": "20210104205952Z", "duration": "0.287840", "kw": { "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "WARNING", "uuid": "f6af4114-bb3e-4cb4-a79d-2dc3b4856583", "when": "20210104205953Z", "duration": "0.401806", "kw": { "key": "20210104201139", "msg": "certmonger tracking request {key} found and is not expected on an IPA master." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "2e5b118b-9a5c-4bdf-8c1f-c5337aa3c292", "when": "20210104205953Z", "duration": "0.309905", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } } ]
Running ipa-server-upgrade fixes the tracking.
ipa-server-upgrade
Reported initially on freeipa-users and followed up on irc. Seen on HREL 8.3. (ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64) and reproduced with ipa master.
Metadata Update from @rcritten: - Issue assigned to rcritten
https://github.com/freeipa/freeipa/pull/5393
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1912845
Issue linked to Bugzilla: Bug 1912845
master:
ipa-4-9:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to ipa-certupdate tool now honors CA profile specified in the certificate request it tries to update
Login to comment on this ticket.