lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> adding second master failed a number of times so I did go without
> '--setup-ca', now on that master I get lots of:
>
> Invalid PKI instance: pki-tomcat:
>
> {
> "source": "pki.server.healthcheck.certs.expiration",
> "check": "CASystemCertExpiryCheck",
> "result": "CRITICAL",
> "uuid": "7b920e6a-4f47-4541-80fa-e9d87dadff20",
> "when": "20220118102040Z",
> "duration": "0.000175",
> "kw": {
> "msg": "Invalid PKI instance: pki-tomcat"
> }
> },
> ...
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertfileExpirationCheck",
> "result": "ERROR",
> "uuid": "fb01a7bd-3457-4007-8c3d-66662e23b6df",
> "when": "20220118102040Z",
> "duration": "0.006617",
> "kw": {
> "key": "20210709164208",
> "dbdir": "/etc/pki/pki-tomcat/alias",
> "nickname": "auditSigningCert cert-pki-kra",
> "error": "NSSDB '/etc/pki/pki-tomcat/alias' not initialized.",
> "msg": "Request id {key}: Unable to retrieve cert '{nickname}'
> from '{dbdir}': {error}"
> }
> },
> ..
>
>
> first master's healthcheck does not mention these problems.
> Is it that IPA - falsely - believe that this second master is CA/KRA?
> If so, then how to resolve this - this second master, according to
> '--uinstall' was removed successfully(each time '--setup-ca' failed)
This was recently discussed on the list.
For whatever reason the pki team wants to fail when their product is not
configured.
The next release of ipa-healthcheck will filter these out if a CA is not
configured.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
