Hi Eric, IPA command 'ipa dns-update-system-records --dry-run’ command will generate all DNS records it expects which you can then compare to existing ones. Better yet, it can generate an update file with “—out” switch which in nsupdate format. Useful if you have BIND nameserver software. I did just that and ipa-healthcheck DNS warnings were cleared. Kind regards, Ivars
> On 12 Jul 2022, at 17:48, Eric Ashley via FreeIPA-users > <[email protected]> wrote: > > On Friday, July 8th, 2022 at 1:02 PM, Rob Crittenden <[email protected]> > wrote: >> >> Not sure what you mean by "wire traffic". It's a vault so perhaps you >> stored some keys there. IPA already encrypts all its own internal traffic. > > When I first installed FreeIPA it did not yet default to encrypted traffic > for all accesses. > >> >>> I've checked the list archive and can't see any instances that are >>> related to the issues ipa-healthcheck reports. ipa-healthcheck reports >>> the following: >>> >>> [ >>> { >>> "source": "ipahealthcheck.ipa.idns", >>> "check": "IPADNSSystemRecordsCheck", >>> "result": "WARNING", >>> "uuid": "432017b9-ef12-44a5-8843-35fd6424d85f", >>> "when": "20220708144958Z", >>> "duration": "0.031444", >>> "kw": { >>> "msg": "Expected URI record missing", >>> "key": >>> "_kerberos.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com." >>> } >>> }, >>> { >>> "source": "ipahealthcheck.ipa.idns", >>> "check": "IPADNSSystemRecordsCheck", >>> "result": "WARNING", >>> "uuid": "498649c8-1460-4f34-807b-1b06c08f3aec", >>> "when": "20220708144958Z", >>> "duration": "0.031469", >>> "kw": { >>> "msg": "Expected URI record missing", >>> "key": >>> "_kerberos.ipa.example.com.:krb5srv:m:udp:ipaserv.ipa.example.com." >>> } >>> }, >>> { >>> "source": "ipahealthcheck.ipa.idns", >>> "check": "IPADNSSystemRecordsCheck", >>> "result": "WARNING", >>> "uuid": "3a6c7f80-3ce9-4ba0-b821-d731eb6929a3", >>> "when": "20220708144958Z", >>> "duration": "0.033407", >>> "kw": { >>> "msg": "Expected URI record missing", >>> "key": >>> "_kpasswd.ipa.example.com.:krb5srv:m:tcp:ipaserv.ipa.example.com." >>> } >>> }, >> >> >> URI records are not required but your installation supports them. If you >> want to utilize them you can add the missing ones. Or you can ignore these. >> > > These look like it's looking for service records, which all exist. The first > element of the key looks like it wants a service record without the protocol. > I don't know what one of those is supposed to look like. I have _kerberos TXT > record for the realm and _kerberos._tcp and _kerberos._udp service records. > What exactly is it looking for in addition? > >>> { >>> >>> "source": "ipahealthcheck.ipa.proxy", >>> "check": "IPAProxySecretCheck", >>> "result": "CRITICAL", >>> "uuid": "6820b5b3-08a9-4632-a834-a71d1ae0d84b", >>> "when": "20220708144958Z", >>> "duration": "0.000894", >>> "kw": { >>> "key": "proxy_secrets", >>> "proxy_conf": "/etc/httpd/conf.d/ipa-pki-proxy.conf", >>> "msg": "No ProxyPassMatch secrets found in {proxy_conf}" >>> } >>> }, >> >> >> There should be a shared secret for the AJP communication between IPA >> and the CA. >> >> in /etc/httpd/conf.d/ipa-pki-proxy.conf you should have a few lines like: >> >> ProxyPassMatch ajp://localhost:8009 secret=<something> >> >> >> The same secret should be in /etc/pki/pki-tomcat/server.xml: >> >> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >> address="127.0.0.1" secret="<something>" name="Connector1"/> >> >> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >> address="::1" secret="<something>" name="Connector2"/> >> > > This is a regex bug if the secret contains any special characters. Mine > happens to start with a special character, which the script regular > expression at freeipa-healthcheck/src/ipahealthcheck/ipa/proxy.py:89 > (PROXY_RE = r'\s+ProxyPassMatch ajp://localhost:8009 secret=(\w+)$') parses > as empty. > > I've reported it at https://pagure.io/freeipa/issue/9203 > > The word match for 'secret=(\w+)$' fails if the first character of the secret > isn't alphanumeric. It would incorrectly handle a secret with embedded > special characters, though I don't think it would trigger an error, except > when the initial alphanumeric portion of the secret was in fact different. > > Best regards, > Eric_______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
