[Freeipa-users] Re: ipa-healthcheck false positives

[Ronald Wimmer via FreeIPA-users]

On 07.01.22 14:30, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 05.01.22 20:16, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 05.01.22 14:48, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
Is it true that these "Errors" appear on an IPA server without CA role
present and can be ignored?
CRITICAL:
pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck:
Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.OCSPSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.TKSSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.TPSSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck



CRITICAL:
pki.server.healthcheck.meta.csconfig.CADogtagCertsConfigCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.KRADogtagCertsConfigCheck:
Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.OCSPDogtagCertsConfigCheck:
Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.TKSDogtagCertsConfigCheck:
Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.TPSDogtagCertsConfigCheck:
Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagCACertsConnectivityCheck:

Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagKRAConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagOCSPConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagTKSConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagTPSConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL: ipahealthcheck.ipa.roles.IPACRLManagerCheck: Unable to read
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg

There was an issue that  pki.server checks though throw errors even if
the CA was unconfigured. I had to filter these out of healthcheck.

But the IPACRLManagerCheck should only run if a CA is configured so I'd
double check your roles. It seems to believe one is configured on this
host

The CA role is definitely not enabled on these machines. (but maybe
something went wrong some time ago when we migrated from CentOS 7 to OL
8.) Where should I have a closer look for leftovers?


For the CA take a look at /var/lib/ipa/sysrestore/sysrestore.state to
see if installed = True in the pki-tomcatd section. That indicates that
the CA was configured.

On these servers (without CA role) there is not even a pki-tomcatd section.

This is fixed upstream but isn't in RHEL 8 yet. It should be fixed as
part of https://bugzilla.redhat.com/show_bug.cgi?id=1983060

I am not allowed to view the bug's content. What would be a good 
workaround? Create a pki-tomcatd section in sysrestore.state with 
installed = False?

Cheers,
Ronaldg
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure