Ronald Wimmer via FreeIPA-users wrote: > On 07.01.22 14:30, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer wrote: >>> On 05.01.22 20:16, Rob Crittenden via FreeIPA-users wrote: >>>> Ronald Wimmer wrote: >>>>> On 05.01.22 14:48, Rob Crittenden wrote: >>>>>> Ronald Wimmer via FreeIPA-users wrote: >>>>>>> Is it true that these "Errors" appear on an IPA server without CA >>>>>>> role >>>>>>> present and can be ignored? >>>>>>> >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: >>>>>>> Invalid >>>>>>> PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.trustflags.OCSPSystemCertTrustFlagCheck: >>>>>>> >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.trustflags.TKSSystemCertTrustFlagCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.certs.trustflags.TPSSystemCertTrustFlagCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.csconfig.CADogtagCertsConfigCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.csconfig.KRADogtagCertsConfigCheck: >>>>>>> Invalid >>>>>>> PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.csconfig.OCSPDogtagCertsConfigCheck: >>>>>>> Invalid >>>>>>> PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.csconfig.TKSDogtagCertsConfigCheck: >>>>>>> Invalid >>>>>>> PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.csconfig.TPSDogtagCertsConfigCheck: >>>>>>> Invalid >>>>>>> PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.connectivity.DogtagCACertsConnectivityCheck: >>>>>>> >>>>>>> >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.connectivity.DogtagKRAConnectivityCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.connectivity.DogtagOCSPConnectivityCheck: >>>>>>> >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.connectivity.DogtagTKSConnectivityCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: >>>>>>> pki.server.healthcheck.meta.connectivity.DogtagTPSConnectivityCheck: >>>>>>> Invalid PKI instance: pki-tomcat >>>>>>> CRITICAL: ipahealthcheck.ipa.roles.IPACRLManagerCheck: Unable to >>>>>>> read >>>>>>> /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >>>>>> >>>>>> There was an issue that pki.server checks though throw errors >>>>>> even if >>>>>> the CA was unconfigured. I had to filter these out of healthcheck. >>>>>> >>>>>> But the IPACRLManagerCheck should only run if a CA is configured >>>>>> so I'd >>>>>> double check your roles. It seems to believe one is configured on >>>>>> this >>>>>> host >>>>> >>>>> The CA role is definitely not enabled on these machines. (but maybe >>>>> something went wrong some time ago when we migrated from CentOS 7 >>>>> to OL >>>>> 8.) Where should I have a closer look for leftovers? >>>>> >>>> >>>> For the CA take a look at /var/lib/ipa/sysrestore/sysrestore.state to >>>> see if installed = True in the pki-tomcatd section. That indicates that >>>> the CA was configured. >>> >>> On these servers (without CA role) there is not even a pki-tomcatd >>> section. >> >> This is fixed upstream but isn't in RHEL 8 yet. It should be fixed as >> part of https://bugzilla.redhat.com/show_bug.cgi?id=1983060 > > I am not allowed to view the bug's content. What would be a good > workaround? Create a pki-tomcatd section in sysrestore.state with > installed = False?
There is no workaround. The code you have does no pre-check on whether a CA is installed or not. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
