Wow....thanx...that was it (the ca_name=IPA entry in the file that contains 'KDCs_PKINIT_Certs' in the dir /var/lib/certmonger/requestswith
Now it's only the known bug error message https://bugzilla.redhat.com/show_bug.cgi?id=2115254 ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) [] Thanx Rob Rob :-P (I really need to remember to reply to all) Op ma 21 nov. 2022 om 16:37 schreef Rob Crittenden <[email protected]>: > Rob Verduijn wrote: > > sorry posted the answer in a dm. > > I'll post any weird stuff in it here when rob finds it > > It's interesting that the IPACertmongerCA check fails when run with the > rest but passes individually. It at least shows that the three > pre-defined CAs we care about look right. > > I noticed that the PKINIT request has no CA associated with it. I > suppose it's possible that is confusing things. > > If you look in /var/lib/certmonger/requests for the file that contains > KDCs_PKINIT_Certs see what, if any, value there is for ca_name. If there > isn't one you can stop certmonger and manually add ca_name=IPA then > restart it. > > Give it time to get going then try ipa-healthcheck again. > > rob > > > > > . > > > > Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden <[email protected] > > <mailto:[email protected]>>: > > > > Rob Verduijn via FreeIPA-users wrote: > > > thanx > > > > > > any clues about the other errors? > > > > It isn't a dbus issue because the other certmonger requests are > working > > fine. In the past this has been caused by missing expected (assumed) > > entries. > > > > Can you share the output of getcert-list and getcert list-cas? > > > > and: > > > > ipa-healthcheck --debug --source ipahealthcheck.ipa.certs --check > > IPACertmongerCA > > > > rob > > > > > > > > ipa-healthcheck > > > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such > > > object', 'ctrls': [], 'ldap_request': > > > "search_ext_s(('cn=changelog5,cn=config', 0, > > > '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], > > > 'serverctrls': None, ' > > > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > > > TJAKO-THUIS"},) > > > [ > > > { > > > "source": "ipahealthcheck.ipa.certs", > > > "check": "IPACertTracking", > > > "result": "CRITICAL", > > > "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > > > "when": "20221119105634Z", > > > "duration": "0.721246", > > > "kw": { > > > "exception": "bus, object_path and dbus_interface must not be > > None." > > > } > > > }, > > > { > > > "source": "ipahealthcheck.ipa.certs", > > > "check": "IPACertDNSSAN", > > > "result": "CRITICAL", > > > "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", > > > "when": "20221119105635Z", > > > "duration": "0.683679", > > > "kw": { > > > "exception": "bus, object_path and dbus_interface must not be > > None." > > > } > > > }, > > > { > > > "source": "ipahealthcheck.ipa.certs", > > > "check": "IPACertRevocation", > > > "result": "CRITICAL", > > > "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", > > > "when": "20221119105638Z", > > > "duration": "0.655251", > > > "kw": { > > > "exception": "bus, object_path and dbus_interface must not be > > None." > > > } > > > }, > > > { > > > "source": "ipahealthcheck.ipa.files", > > > "check": "IPAFileCheck", > > > "result": "CRITICAL", > > > "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", > > > "when": "20221119105639Z", > > > "duration": "0.083885", > > > "kw": { > > > "exception": "bus, object_path and dbus_interface must not be > > None." > > > } > > > } > > > ] > > > > > > > > > > > > Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > > > > > > On 11/20/22 10:51 AM, Rob Verduijn wrote: > > >> > > >> > > >> Op zo 20 nov. 2022 15:57 schreef Mark Reynolds > > >> <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > >> > > >> > > >> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: > > >> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via > > >> FreeIPA-users > > >> > wrote: > > >> >> Hi all, > > >> >> > > >> >> I managed to get rid of another error but I still have > > >> plenty erros > > >> >> left. > > >> >> > > >> >> Any help would be apreciated. > > >> >> > > >> >> ipa-healthcheck errors remaining: > > >> >> > > >> >> ipa-healthcheck > > >> >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, > 'desc': > > >> 'No such > > >> >> object', 'ctrls': [], 'ldap_request': > > >> >> "search_ext_s(('cn=changelog5,cn=config', 0, > > >> >> '(objectClass=*)'),{'attrlist': > > >> ['nsslapd-changelogmaxentries'], > > >> >> 'serverctrls': None,' > > >> >> clientctrls': None, 'escapehatch': 'i am sure'}) on > > >> instance TJAKO- > > >> >> THUIS"},) > > >> > Is this your server telling you that the entry > > >> cn=changelog5,cn=config > > >> > does not exist? That sounds pretty bad... try running > this > > >> (change IPA- > > >> > EXAMPLE-COM to the name of your dirsrv instance): > > >> > > > >> > ldapsearch -H > ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket > > >> -Y EXTERNAL > > >> > -b cn=changelog5,cn=config -s base > > >> > > >> This is fine actually. This is a bug we are looking > into. It > > >> should not > > >> be outputting that exception. It just checking if a > backend > > >> has a > > >> changelog, not that it's expecting one. This can be > ignored. > > >> > > >> Mark > > >> > > >> Can you share a link to this bug? > > >> > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > > > > > >> > > >> > > >> > > >> > > >> > > > >> >> { > > >> >> "source": "ipahealthcheck.ipa.certs", > > >> >> "check": "IPACertTracking", > > >> >> "result": "CRITICAL", > > >> >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > > >> >> "when": "20221119105634Z", > > >> >> "duration": "0.721246", > > >> >> "kw": { > > >> >> "exception": "bus, object_path and > dbus_interface > > >> must not be > > >> >> None." > > >> >> } > > >> >> }, > > >> > These look like D-Bus-related errors. Is certmonger > > started, > > >> can you > > >> > run 'getcert list'? > > >> > > > >> -- > > >> Directory Server Development Team > > >> > > > -- > > > Directory Server Development Team > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- [email protected] > > <mailto:[email protected]> > > > To unsubscribe send an email to > > [email protected] > > <mailto:[email protected]> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
