NSS Check Failure

[matthewprobasco]

I cannot seem to figure out why this health check keeps failing.
{
"source": "ipahealthcheck.ds.nss_ssl",
"check": "NssCheck",
"result": "ERROR",
"uuid": "18e1cb64-ca7f-4247-8fdb-a11fdd87b217",
"when": "20240919194444Z",
"duration": "10.003445",
"kw": {
"exception": "Request timed out"
}
},

Server: Almalinux

[rcritten]

Sorry for the delay, I missed this originally.

This check is provided directly by 389-ds and executed by freeipa-healthcheck. I'm not completely sure what it is doing.

You can try increasing the timeout to see if the check itself will fail with a better reason.

Create /etc/ipahealthcheck/ipahealthcheck.conf with contents:

[default]
timeout=600

[matthewprobasco]

This is quite interesting. I actually had a few errors that were all "resolved" by increasing this timeout. I have two FREEIPA Servers running AlmaLinux 9.5 (Teal Serval) on Raspberry Pi 4 Model B Rev 1.5. Server are connected on the same 1G switch/LAN so traffic between them should be very fast. Happy its reporting "more healthy" but wondering why the timeout would play such a big role here? Thoughts would be appreciated. (I am working on the remaining CA issue still)

You can see here - before:

[almalinux@ldap01 ~]$ sudo ipa-healthcheck
Internal server error CA clone problem reading data. Host: host2.localdomain Port: 443
[
  {
    "source": "pki.server.healthcheck.clones.connectivity_and_data",
    "check": "ClonesConnectivyAndDataCheck",
    "result": "ERROR",
    "uuid": "97c33013-198c-40c4-bf3d-cf3ac0dd1771",
    "when": "20250216164023Z",
    "duration": "0.722317",
    "kw": {
      "status": "ERROR:  pki-tomcat : Internal error testing CA clone. Host: host2.localdomain Port: 443"
    }
  },
  {
    "source": "ipahealthcheck.ds.nss_ssl",
    "check": "NssCheck",
    "result": "ERROR",
    "uuid": "15398b4c-88da-4fbd-a05d-1cbf63741b79",
    "when": "20250216164037Z",
    "duration": "10.002982",
    "kw": {
      "exception": "Request timed out"
    }
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPACertTracking",
    "result": "WARNING",
    "uuid": "a1dfd6ee-7946-4c9e-874f-d0b428bab820",
    "when": "20250216164049Z",
    "duration": "5.812956",
    "kw": {
      "key": "20240923235148",
      "msg": "certmonger tracking request {key} found and is not expected on an IPA master."
    }
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPACertRevocation",
    "result": "ERROR",
    "uuid": "1e156bd0-eb22-40c6-87b6-d454590ba05c",
    "when": "20250216164114Z",
    "duration": "10.125520",
    "kw": {
      "key": "20240606000121",
      "serial": 10,
      "error": "cannot connect to 'https://host1.localdomain:443/ca/rest/authorities/302e4530-c998-407f-9897-2ad7145f6eae/cert': Request timed out",
      "msg": "Request for certificate serial number {serial} in request {key} failed: {error}"
    }
  },
  {
    "source": "ipahealthcheck.meta.core",
    "check": "MetaCheck",
    "result": "ERROR",
    "uuid": "4c8817d3-3e5c-414d-bce4-ffc9508c633b",
    "when": "20250216164132Z",
    "duration": "10.001908",
    "kw": {
      "key": "meta",
      "fqdn": "host1.localdomain",
      "fips": "disabled",
      "acme": "check timed out",
      "ipa_version": "4.12.2",
      "ipa_api_version": "2.254"
    }
  }
]

After:

[almalinux@ldap01 ~]$ sudo ipa-healthcheck
Internal server error CA clone problem reading data. Host: host2.localdomain Port: 443
[
  {
    "source": "pki.server.healthcheck.clones.connectivity_and_data",
    "check": "ClonesConnectivyAndDataCheck",
    "result": "ERROR",
    "uuid": "4dabb2ab-22e9-4eb5-8bce-98c413e9a124",
    "when": "20250216174312Z",
    "duration": "0.940387",
    "kw": {
      "status": "ERROR:  pki-tomcat : Internal error testing CA clone. Host: host2.localdomain Port: 443"
    }
  }
]