Ronald Wimmer wrote: > On 05.01.22 20:16, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer wrote: >>> On 05.01.22 14:48, Rob Crittenden wrote: >>>> Ronald Wimmer via FreeIPA-users wrote: >>>>> Is it true that these "Errors" appear on an IPA server without CA role >>>>> present and can be ignored? >>>>> >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: >>>>> Invalid >>>>> PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.trustflags.OCSPSystemCertTrustFlagCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.trustflags.TKSSystemCertTrustFlagCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.certs.trustflags.TPSSystemCertTrustFlagCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck >>>>> >>>>> >>>>> >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.csconfig.CADogtagCertsConfigCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.csconfig.KRADogtagCertsConfigCheck: >>>>> Invalid >>>>> PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.csconfig.OCSPDogtagCertsConfigCheck: >>>>> Invalid >>>>> PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.csconfig.TKSDogtagCertsConfigCheck: >>>>> Invalid >>>>> PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.csconfig.TPSDogtagCertsConfigCheck: >>>>> Invalid >>>>> PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.connectivity.DogtagCACertsConnectivityCheck: >>>>> >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.connectivity.DogtagKRAConnectivityCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.connectivity.DogtagOCSPConnectivityCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.connectivity.DogtagTKSConnectivityCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: >>>>> pki.server.healthcheck.meta.connectivity.DogtagTPSConnectivityCheck: >>>>> Invalid PKI instance: pki-tomcat >>>>> CRITICAL: ipahealthcheck.ipa.roles.IPACRLManagerCheck: Unable to read >>>>> /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >>>> >>>> There was an issue that pki.server checks though throw errors even if >>>> the CA was unconfigured. I had to filter these out of healthcheck. >>>> >>>> But the IPACRLManagerCheck should only run if a CA is configured so I'd >>>> double check your roles. It seems to believe one is configured on this >>>> host >>> >>> The CA role is definitely not enabled on these machines. (but maybe >>> something went wrong some time ago when we migrated from CentOS 7 to OL >>> 8.) Where should I have a closer look for leftovers? >>> >> >> For the CA take a look at /var/lib/ipa/sysrestore/sysrestore.state to >> see if installed = True in the pki-tomcatd section. That indicates that >> the CA was configured. > > On these servers (without CA role) there is not even a pki-tomcatd section.
This is fixed upstream but isn't in RHEL 8 yet. It should be fixed as part of https://bugzilla.redhat.com/show_bug.cgi?id=1983060 rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
