add ipa-certupdate hint for missing LWCA tracking request

[frasertweedale]

Missing LWCA tracking requests is an expected scenario. Admins need to run ipa-certupdate to set up the tracking requests. Include this hint in the error message.

Drive-by change, no ticket.

How to test

1. Two-server deployment, both with CA
2. Create LWCA on the server that is NOT the renewal master.
3. Wait a short time for LDAP and key replication to complete.
4. Run ipa-healthcheck on the renewal master. For the LWCA key, it should show the message that the tracking request is missing, including the hint that it can be added by running ipa-certupdate.
5. Run ipa-certupdate on the renewal master.
6. Run ipa-healthcheck again. The error/warning about the missing tracking requests should no longer apear.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[rcritten]

I think I'd prefer it if we try to determine if the given certificate is a LWCA rather than always appending this. It could cause unnecessary running of ipa-certupdate to not fix the problem. I suspect a regex on the nickname would handle this pretty well.

I also uncovered a related issue but in IPA. Deleting a LWCA and re-running ipa-certupdate does not remove the tracking which will also spur healthcheck errors.