On Friday, July 8th, 2022 at 1:02 PM, Rob Crittenden <[email protected]> wrote: > > Not sure what you mean by "wire traffic". It's a vault so perhaps you > stored some keys there. IPA already encrypts all its own internal traffic.
When I first installed FreeIPA it did not yet default to encrypted traffic for
all accesses.
>
> > I've checked the list archive and can't see any instances that are
> > related to the issues ipa-healthcheck reports. ipa-healthcheck reports
> > the following:
> >
> > [
> > {
> > "source": "ipahealthcheck.ipa.idns",
> > "check": "IPADNSSystemRecordsCheck",
> > "result": "WARNING",
> > "uuid": "432017b9-ef12-44a5-8843-35fd6424d85f",
> > "when": "20220708144958Z",
> > "duration": "0.031444",
> > "kw": {
> > "msg": "Expected URI record missing",
> > "key":
> > "_kerberos.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com."
> > }
> > },
> > {
> > "source": "ipahealthcheck.ipa.idns",
> > "check": "IPADNSSystemRecordsCheck",
> > "result": "WARNING",
> > "uuid": "498649c8-1460-4f34-807b-1b06c08f3aec",
> > "when": "20220708144958Z",
> > "duration": "0.031469",
> > "kw": {
> > "msg": "Expected URI record missing",
> > "key":
> > "_kerberos.ipa.example.com.:krb5srv:m:udp:ipaserv.ipa.example.com."
> > }
> > },
> > {
> > "source": "ipahealthcheck.ipa.idns",
> > "check": "IPADNSSystemRecordsCheck",
> > "result": "WARNING",
> > "uuid": "3a6c7f80-3ce9-4ba0-b821-d731eb6929a3",
> > "when": "20220708144958Z",
> > "duration": "0.033407",
> > "kw": {
> > "msg": "Expected URI record missing",
> > "key":
> > "_kpasswd.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com."
> > }
> > },
>
>
> URI records are not required but your installation supports them. If you
> want to utilize them you can add the missing ones. Or you can ignore these.
>
These look like it's looking for service records, which all exist. The first
element of the key looks like it wants a service record without the protocol. I
don't know what one of those is supposed to look like. I have _kerberos TXT
record for the realm and _kerberos._tcp and _kerberos._udp service records.
What exactly is it looking for in addition?
> > {
> >
> > "source": "ipahealthcheck.ipa.proxy",
> > "check": "IPAProxySecretCheck",
> > "result": "CRITICAL",
> > "uuid": "6820b5b3-08a9-4632-a834-a71d1ae0d84b",
> > "when": "20220708144958Z",
> > "duration": "0.000894",
> > "kw": {
> > "key": "proxy_secrets",
> > "proxy_conf": "/etc/httpd/conf.d/ipa-pki-proxy.conf",
> > "msg": "No ProxyPassMatch secrets found in {proxy_conf}"
> > }
> > },
>
>
> There should be a shared secret for the AJP communication between IPA
> and the CA.
>
> in /etc/httpd/conf.d/ipa-pki-proxy.conf you should have a few lines like:
>
> ProxyPassMatch ajp://localhost:8009 secret=<something>
>
>
> The same secret should be in /etc/pki/pki-tomcat/server.xml:
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> address="127.0.0.1" secret="<something>" name="Connector1"/>
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> address="::1" secret="<something>" name="Connector2"/>
>
This is a regex bug if the secret contains any special characters. Mine happens
to start with a special character, which the script regular expression at
freeipa-healthcheck/src/ipahealthcheck/ipa/proxy.py:89 (PROXY_RE =
r'\s+ProxyPassMatch ajp://localhost:8009 secret=(\w+)$') parses as empty.
I've reported it at https://pagure.io/freeipa/issue/9203
The word match for 'secret=(\w+)$' fails if the first character of the secret
isn't alphanumeric. It would incorrectly handle a secret with embedded special
characters, though I don't think it would trigger an error, except when the
initial alphanumeric portion of the secret was in fact different.
Best regards,
Eric
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
