On 05.01.22 14:48, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
Is it true that these "Errors" appear on an IPA server without CA role
present and can be ignored?
CRITICAL:
pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.OCSPSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.TKSSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.TPSSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck
CRITICAL: pki.server.healthcheck.meta.csconfig.CADogtagCertsConfigCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.KRADogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.OCSPDogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.TKSDogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.TPSDogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagCACertsConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagKRAConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagOCSPConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagTKSConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagTPSConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL: ipahealthcheck.ipa.roles.IPACRLManagerCheck: Unable to read
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg
There was an issue that pki.server checks though throw errors even if
the CA was unconfigured. I had to filter these out of healthcheck.
But the IPACRLManagerCheck should only run if a CA is configured so I'd
double check your roles. It seems to believe one is configured on this host
The CA role is definitely not enabled on these machines. (but maybe
something went wrong some time ago when we migrated from CentOS 7 to OL
8.) Where should I have a closer look for leftovers?
As well as these for a disabled trust domain?
ERROR: ipahealthcheck.ipa.trust.IPATrustDomainsCheck.domain-list:
/usr/sbin/sssctl domain-list reports mismatch: sssd domains mydomain.at,
buero.mydomain.at, org.mydomain.at trust domains buero.mydomain.at,
mydomain.at, org.mydomain.at, tk.mydomain.at
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.domain-status:
Execution of domain-status failed: CalledProcessError(Command
['/usr/sbin/sssctl', 'domain-status', 'tk.mydomain.at',
'--active-server'] returned non-zero exit status 1: 'Unable to get
online status\n')
Disabled how? healthcheck is running through the list of trust domains
that sssd is returning. So should sssd not be aware of this domain at all?
ipa trustdomain-disable
We've disabled the tk.mydomain.at domain because we do not need it.
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
