Hello,

I installed FreeIPA version 4.8.7-1.fc32.x86_64 on 24 July 2020. I've since kept current  with the Fedora release channels, up to 4.9.10-1.fc36. I don't have any Windoze AD domains configured, just FreeIPA. I followed the steps to enable KRA back when it seemed to be required to force encryption of all wire traffic. I'm sure that I must have missed some steps, though everything seems to be working correctly.

I've checked the list archive and can't see any instances that are related to the issues ipa-healthcheck reports. ipa-healthcheck reports the following:

[
  {
    "source": "ipahealthcheck.ipa.idns",
    "check": "IPADNSSystemRecordsCheck",
    "result": "WARNING",
    "uuid": "432017b9-ef12-44a5-8843-35fd6424d85f",
    "when": "20220708144958Z",
    "duration": "0.031444",
    "kw": {
      "msg": "Expected URI record missing",
      "key": "_kerberos.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com."
    }
  },
  {
    "source": "ipahealthcheck.ipa.idns",
    "check": "IPADNSSystemRecordsCheck",
    "result": "WARNING",
    "uuid": "498649c8-1460-4f34-807b-1b06c08f3aec",
    "when": "20220708144958Z",
    "duration": "0.031469",
    "kw": {
      "msg": "Expected URI record missing",
      "key": "_kerberos.ipa.example.com.:krb5srv:m:udp:ipaserv.ipa.example.com."
    }
  },
  {
    "source": "ipahealthcheck.ipa.idns",
    "check": "IPADNSSystemRecordsCheck",
    "result": "WARNING",
    "uuid": "3a6c7f80-3ce9-4ba0-b821-d731eb6929a3",
    "when": "20220708144958Z",
    "duration": "0.033407",
    "kw": {
      "msg": "Expected URI record missing",
      "key": "_kpasswd.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com."
    }
  },
  {

    "source": "ipahealthcheck.ipa.proxy",
    "check": "IPAProxySecretCheck",
    "result": "CRITICAL",
    "uuid": "6820b5b3-08a9-4632-a834-a71d1ae0d84b",
    "when": "20220708144958Z",
    "duration": "0.000894",
    "kw": {
      "key": "proxy_secrets",
      "proxy_conf": "/etc/httpd/conf.d/ipa-pki-proxy.conf",
      "msg": "No ProxyPassMatch secrets found in {proxy_conf}"
    }
  },
  {
    "source": "pki.server.healthcheck.meta.csconfig",
    "check": "KRADogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "1978555c-72d6-47af-8a21-de3967002eca",
    "when": "20220708145007Z",
    "duration": "0.065948",
    "kw": {
      "key": "kra_sslserver",
      "nickname": "Server-Cert cert-pki-ca",
      "directive": "kra.sslserver.cert",
      "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
      "msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
    }
  },
  {
    "source": "pki.server.healthcheck.meta.csconfig",
    "check": "KRADogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "cbf470d2-0d58-4c24-aba0-8a62cc399ffe",
    "when": "20220708145007Z",
    "duration": "0.114728",
    "kw": {
      "key": "kra_subsystem",

      "nickname": "subsystemCert cert-pki-ca",
      "directive": "kra.subsystem.cert",
      "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
      "msg": "Certificate 'subsystemCert cert-pki-ca' does not match the value of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
    }
  }
]


Some pointers on how to fix these would be greatly appreciated.

Best regards,

Eric

Attachment: publickey -
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to