ipa-healthcheck: "Certificate request id {key} with profile {profile} for CA {ca} does not have a DNS SAN {san} matching name {hostname}"
Issue
- ipa-healthcheck reports that the http certificate for an IDM server does not have a SAN:
# ipa-healthcheck --source ipahealthcheck.ipa.certs --check IPACertDNSSAN --verbose --all
Reading Dogtag specific config values
[
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "431c42c0-9396-4593-ad2b-09b40298ba1f",
"when": "20240416115958Z",
"duration": "0.904624",
"kw": {
"key": "20240318110910",
"hostname": "ipa-ca.example.com",
"san": [
"ipa02.example.com"
],
"ca": "IPA",
"profile": "caIPAserviceCert",
"msg": "Certificate request id {key} with profile {profile} for CA {ca} does not have a DNS SAN {san} matching name {hostname}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "SUCCESS",
"uuid": "51cc250b-68db-46ac-935b-ffde72498ced",
"when": "20240416115959Z",
"duration": "1.034792",
"kw": {
"key": "20240318110852",
"hostname": [
"ipa02.example.com"
],
"san": [
"ipa02.example.com"
],
"ca": "IPA",
"profile": "caIPAserviceCert"
}
}
]
Environment
- Red Hat Enterprise Linux 7, 8, 9
- Red Hat Identity Management
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.