Rob Verduijn wrote:
Wow....thanx...that was it (the ca_name=IPA entry in the file that contains 'KDCs_PKINIT_Certs' in the dir /var/lib/certmonger/requestswith
Identifying this type of issue might be pretty tricky. I'll use the ticket you opened to poke at it. I'd rather not have to parse the request files directly as some data may be cached in the daemon.
I'm not even sure how a request can be tracked without a CA in certmonger.
Glad things are working in any case.
rob
Now it's only the known bug error message https://bugzilla.redhat.com/show_bug.cgi?id=2115254
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) []
Fortunately this only appears on stderr so doesn't end up in the generated file if you run healthcheck in a timer or use the --output-file option.
rob
Thanx Rob
Rob :-P (I really need to remember to reply to all)
Op ma 21 nov. 2022 om 16:37 schreef Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Rob Verduijn wrote: > sorry posted the answer in a dm. > I'll post any weird stuff in it here when rob finds it It's interesting that the IPACertmongerCA check fails when run with the rest but passes individually. It at least shows that the three pre-defined CAs we care about look right. I noticed that the PKINIT request has no CA associated with it. I suppose it's possible that is confusing things. If you look in /var/lib/certmonger/requests for the file that contains KDCs_PKINIT_Certs see what, if any, value there is for ca_name. If there isn't one you can stop certmonger and manually add ca_name=IPA then restart it. Give it time to get going then try ipa-healthcheck again. rob > > . > > Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>: > > Rob Verduijn via FreeIPA-users wrote: > > thanx > > > > any clues about the other errors? > > It isn't a dbus issue because the other certmonger requests are working > fine. In the past this has been caused by missing expected (assumed) > entries. > > Can you share the output of getcert-list and getcert list-cas? > > and: > > ipa-healthcheck --debug --source ipahealthcheck.ipa.certs --check > IPACertmongerCA > > rob > > > > > ipa-healthcheck > > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such > > object', 'ctrls': [], 'ldap_request': > > "search_ext_s(('cn=changelog5,cn=config', 0, > > '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], > > 'serverctrls': None, ' > > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > > TJAKO-THUIS"},) > > [ > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertTracking", > > "result": "CRITICAL", > > "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > > "when": "20221119105634Z", > > "duration": "0.721246", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > }, > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertDNSSAN", > > "result": "CRITICAL", > > "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", > > "when": "20221119105635Z", > > "duration": "0.683679", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > }, > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertRevocation", > > "result": "CRITICAL", > > "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", > > "when": "20221119105638Z", > > "duration": "0.655251", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > }, > > { > > "source": "ipahealthcheck.ipa.files", > > "check": "IPAFileCheck", > > "result": "CRITICAL", > > "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", > > "when": "20221119105639Z", > > "duration": "0.083885", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > } > > ] > > > > > > > > Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds > <mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>> > > <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>>: > > > > > > On 11/20/22 10:51 AM, Rob Verduijn wrote: > >> > >> > >> Op zo 20 nov. 2022 15:57 schreef Mark Reynolds > >> <mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>> > <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>>: > >> > >> > >> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: > >> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via > >> FreeIPA-users > >> > wrote: > >> >> Hi all, > >> >> > >> >> I managed to get rid of another error but I still have > >> plenty erros > >> >> left. > >> >> > >> >> Any help would be apreciated. > >> >> > >> >> ipa-healthcheck errors remaining: > >> >> > >> >> ipa-healthcheck > >> >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': > >> 'No such > >> >> object', 'ctrls': [], 'ldap_request': > >> >> "search_ext_s(('cn=changelog5,cn=config', 0, > >> >> '(objectClass=*)'),{'attrlist': > >> ['nsslapd-changelogmaxentries'], > >> >> 'serverctrls': None,' > >> >> clientctrls': None, 'escapehatch': 'i am sure'}) on > >> instance TJAKO- > >> >> THUIS"},) > >> > Is this your server telling you that the entry > >> cn=changelog5,cn=config > >> > does not exist? That sounds pretty bad... try running this > >> (change IPA- > >> > EXAMPLE-COM to the name of your dirsrv instance): > >> > > >> > ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket > >> -Y EXTERNAL > >> > -b cn=changelog5,cn=config -s base > >> > >> This is fine actually. This is a bug we are looking into. It > >> should not > >> be outputting that exception. It just checking if a backend > >> has a > >> changelog, not that it's expecting one. This can be ignored. > >> > >> Mark > >> > >> Can you share a link to this bug? > >> > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > > > >> > >> > >> > >> > >> > > >> >> { > >> >> "source": "ipahealthcheck.ipa.certs", > >> >> "check": "IPACertTracking", > >> >> "result": "CRITICAL", > >> >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > >> >> "when": "20221119105634Z", > >> >> "duration": "0.721246", > >> >> "kw": { > >> >> "exception": "bus, object_path and dbus_interface > >> must not be > >> >> None." > >> >> } > >> >> }, > >> > These look like D-Bus-related errors. Is certmonger > started, > >> can you > >> > run 'getcert list'? > >> > > >> -- > >> Directory Server Development Team > >> > > -- > > Directory Server Development Team > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > >