Ronald Wimmer via FreeIPA-users wrote: > Is it true that these "Errors" appear on an IPA server without CA role > present and can be ignored? > > CRITICAL: > pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: Invalid > PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.certs.trustflags.OCSPSystemCertTrustFlagCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.certs.trustflags.TKSSystemCertTrustFlagCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.certs.trustflags.TPSSystemCertTrustFlagCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck > > CRITICAL: pki.server.healthcheck.meta.csconfig.CADogtagCertsConfigCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.meta.csconfig.KRADogtagCertsConfigCheck: Invalid > PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.meta.csconfig.OCSPDogtagCertsConfigCheck: Invalid > PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.meta.csconfig.TKSDogtagCertsConfigCheck: Invalid > PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.meta.csconfig.TPSDogtagCertsConfigCheck: Invalid > PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.meta.connectivity.DogtagCACertsConnectivityCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.meta.connectivity.DogtagKRAConnectivityCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.meta.connectivity.DogtagOCSPConnectivityCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.meta.connectivity.DogtagTKSConnectivityCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: > pki.server.healthcheck.meta.connectivity.DogtagTPSConnectivityCheck: > Invalid PKI instance: pki-tomcat > CRITICAL: ipahealthcheck.ipa.roles.IPACRLManagerCheck: Unable to read > /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
There was an issue that pki.server checks though throw errors even if the CA was unconfigured. I had to filter these out of healthcheck. But the IPACRLManagerCheck should only run if a CA is configured so I'd double check your roles. It seems to believe one is configured on this host. > > As well as these for a disabled trust domain? > > ERROR: ipahealthcheck.ipa.trust.IPATrustDomainsCheck.domain-list: > /usr/sbin/sssctl domain-list reports mismatch: sssd domains mydomain.at, > buero.mydomain.at, org.mydomain.at trust domains buero.mydomain.at, > mydomain.at, org.mydomain.at, tk.mydomain.at > ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.domain-status: > Execution of domain-status failed: CalledProcessError(Command > ['/usr/sbin/sssctl', 'domain-status', 'tk.mydomain.at', > '--active-server'] returned non-zero exit status 1: 'Unable to get > online status\n') Disabled how? healthcheck is running through the list of trust domains that sssd is returning. So should sssd not be aware of this domain at all? rob > > > Cheers, > Ronald > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
