Hello,I installed FreeIPA version 4.8.7-1.fc32.x86_64 on 24 July 2020. I've since kept current with the Fedora release channels, up to 4.9.10-1.fc36. I don't have any Windoze AD domains configured, just FreeIPA. I followed the steps to enable KRA back when it seemed to be required to force encryption of all wire traffic. I'm sure that I must have missed some steps, though everything seems to be working correctly.
I've checked the list archive and can't see any instances that are related to the issues ipa-healthcheck reports. ipa-healthcheck reports the following:
[
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "432017b9-ef12-44a5-8843-35fd6424d85f",
"when": "20220708144958Z",
"duration": "0.031444",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "498649c8-1460-4f34-807b-1b06c08f3aec",
"when": "20220708144958Z",
"duration": "0.031469",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.ipa.example.com.:krb5srv:m:udp:ipaserv.ipa.example.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "3a6c7f80-3ce9-4ba0-b821-d731eb6929a3",
"when": "20220708144958Z",
"duration": "0.033407",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kpasswd.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com."
}
},
{
"source": "ipahealthcheck.ipa.proxy",
"check": "IPAProxySecretCheck",
"result": "CRITICAL",
"uuid": "6820b5b3-08a9-4632-a834-a71d1ae0d84b",
"when": "20220708144958Z",
"duration": "0.000894",
"kw": {
"key": "proxy_secrets",
"proxy_conf": "/etc/httpd/conf.d/ipa-pki-proxy.conf",
"msg": "No ProxyPassMatch secrets found in {proxy_conf}"
}
},
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "KRADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "1978555c-72d6-47af-8a21-de3967002eca",
"when": "20220708145007Z",
"duration": "0.065948",
"kw": {
"key": "kra_sslserver",
"nickname": "Server-Cert cert-pki-ca",
"directive": "kra.sslserver.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'Server-Cert cert-pki-ca' does not match the
value of kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
},
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "KRADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "cbf470d2-0d58-4c24-aba0-8a62cc399ffe",
"when": "20220708145007Z",
"duration": "0.114728",
"kw": {
"key": "kra_subsystem",
"nickname": "subsystemCert cert-pki-ca",
"directive": "kra.subsystem.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'subsystemCert cert-pki-ca' does not match
the value of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
} } ] Some pointers on how to fix these would be greatly appreciated. Best regards, Eric
publickey -
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
