On 2022-11-16 two of my four IPA server have this healthcheck error:
freeipa1, freeipa2:
{ "source": "pki.server.healthcheck.meta.csconfig", "check": "KRADogtagCertsConfigCheck", "result": "ERROR", "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005", "when": "20221116030029Z", "duration": "0.024925", "kw": { "key": "kra_sslserver", "nickname": "Server-Cert cert-pki-ca", "directive": "kra.sslserver.cert", "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg", "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kr\ a/conf/CS.cfg" } },
The servers freeipa1-3 are Fedora 36, freeipa4 is Fedora 37 - all uptodate.
All files /var/lib/pki/pki-tomcat/kra/conf/CS.cfg have changed last in Nov/Dec 2021. Most likely due to me looking at that issue and only "fixing" the error but not investigating the root cause. Let's see if we can remedy that.
On freeipa1, the "Server-Cert cert-pki-ca" has been refreshed on 2022-11-13 15:27:35 CET. On freeipa2, the "Server-Cert cert-pki-ca" has been refreshed on 2022-11-11 15:22:12 CET.
The certificates on freeipa3 and freeipa4 will be refreshed in Nov 2023.
On freeipa2 there are these CS.cfg files:
[root@freeipa2 ~]# ls -l /var/lib/pki/pki-tomcat/*/conf/CS.cfg -rw-rw----. 1 pkiuser pkiuser 85469 11. Nov 15:22 /var/lib/pki/pki-tomcat/ca/conf/CS.cfg -rw-rw----. 1 pkiuser pkiuser 34418 18. Nov 2021 /var/lib/pki/pki-tomcat/kra/conf/CS.cfg
So it looks like the helper only refreshed the cert in ca, not on kra. The certificate request has this post-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
When looking at the script, we call this for the cert: python3.10/site-packages/ipaserver/install/cainstance.py:1157: def update_cert_config(self, nickname, cert):
Which calls that function: python3.10/site-packages/ipaserver/install/dogtaginstance.py:555: def update_cert_cs_cfg(self, directive, cert):
But: there is no code to loop over the running services in pki-tomcat as far as I can see. So we update ca/conf/CS.cfg, but not kra/conf/CS.cfg
Some related discussions: https://bugzilla.redhat.com/show_bug.cgi?id=1869893 says:
I've collected the logs of the certificate refresh on freeipa2 and can provide them, but there was no related error as far as I can see.
PKI thinks that CA and KRA are enabled in this instance:
[pkiuser@freeipa2 ~]$ pki-server status Instance ID: pki-tomcat Active: True Nuxwdog Enabled: False Unsecure Port: 8080 Secure Port: 8443 AJP Port: 8009 Tomcat Port: 8005 CA Subsystem: Type: CA Clone (Security Domain) SD Name: IPA SD Registration URL: https://freeipa2.example.org:8443 Enabled: True Unsecure URL: http://freeipa2.example.org:8080/ca/ee/ca Secure Agent URL: https://freeipa2.example.org:8443/ca/agent/ca Secure EE URL: https://freeipa2.example.org:8443/ca/ee/ca Secure Admin URL: https://freeipa2.example.org:8443/ca/services PKI Console URL: https://freeipa2.example.org:8443/ca KRA Subsystem: Type: KRA SD Name: IPA SD Registration URL: https://freeipa2.example.org:443 Enabled: True Secure Agent URL: https://freeipa2.example.org:8443/kra/agent/kra Secure Admin URL: https://freeipa2.example.org:8443/kra/services PKI Console URL: https://freeipa2.example.org:8443/kra
I'm checking with the PKI team what impact not updating the KRA Server-Cert value has operationally,.
There are two open, related issues in CS:
https://github.com/dogtagpki/pki/issues/2157 https://github.com/dogtagpki/pki/issues/2295
Only the first affects IPA directly, the copy of the certificate.
So for now we should ensure the KRA values are updated upon renewal.
Metadata Update from @rcritten: - Issue priority set to: normal
Metadata Update from @rcritten: - Issue assigned to rcritten
The changes are relatively minor and obvious but they fail to work because the SELinux context of the subsystem directories is different and we don't have write access to the KRA CS.cfg.
CA unconfined_u:object_r:pki_tomcat_cert_t:s0 KRA unconfined_u:object_r:pki_tomcat_etc_rw_t:s
I'll attach my diff here for posterity. I'm waiting on word back from the PKI team who owns the policy and whether this difference is intentional or not.
<img alt="0001-Update-KRA-certificates-in-CS.cfg-on-renewal.patch" src="/freeipa/issue/raw/files/a5917b4007c4b1f0f3cac900d104827eb1d31b74946e521b26945a0c4ae58c06-0001-Update-KRA-certificates-in-CS.cfg-on-renewal.patch" />
selinux-policy BZ https://bugzilla.redhat.com/show_bug.cgi?id=2166441
Login to comment on this ticket.