Rob Verduijn wrote:
sorry posted the answer in a dm. I'll post any weird stuff in it here when rob finds it
It's interesting that the IPACertmongerCA check fails when run with the rest but passes individually. It at least shows that the three pre-defined CAs we care about look right.
I noticed that the PKINIT request has no CA associated with it. I suppose it's possible that is confusing things.
If you look in /var/lib/certmonger/requests for the file that contains KDCs_PKINIT_Certs see what, if any, value there is for ca_name. If there isn't one you can stop certmonger and manually add ca_name=IPA then restart it.
Give it time to get going then try ipa-healthcheck again.
rob
.
Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Rob Verduijn via FreeIPA-users wrote: > thanx > > any clues about the other errors? It isn't a dbus issue because the other certmonger requests are working fine. In the past this has been caused by missing expected (assumed) entries. Can you share the output of getcert-list and getcert list-cas? and: ipa-healthcheck --debug --source ipahealthcheck.ipa.certs --check IPACertmongerCA rob > > ipa-healthcheck > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such > object', 'ctrls': [], 'ldap_request': > "search_ext_s(('cn=changelog5,cn=config', 0, > '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], > 'serverctrls': None, ' > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > TJAKO-THUIS"},) > [ > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertTracking", > "result": "CRITICAL", > "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > "when": "20221119105634Z", > "duration": "0.721246", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertDNSSAN", > "result": "CRITICAL", > "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", > "when": "20221119105635Z", > "duration": "0.683679", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "CRITICAL", > "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", > "when": "20221119105638Z", > "duration": "0.655251", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > }, > { > "source": "ipahealthcheck.ipa.files", > "check": "IPAFileCheck", > "result": "CRITICAL", > "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", > "when": "20221119105639Z", > "duration": "0.083885", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > } > ] > > > > Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds <mareynol@redhat.com <mailto:mareynol@redhat.com> > <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>: > > > On 11/20/22 10:51 AM, Rob Verduijn wrote: >> >> >> Op zo 20 nov. 2022 15:57 schreef Mark Reynolds >> <mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>: >> >> >> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: >> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via >> FreeIPA-users >> > wrote: >> >> Hi all, >> >> >> >> I managed to get rid of another error but I still have >> plenty erros >> >> left. >> >> >> >> Any help would be apreciated. >> >> >> >> ipa-healthcheck errors remaining: >> >> >> >> ipa-healthcheck >> >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': >> 'No such >> >> object', 'ctrls': [], 'ldap_request': >> >> "search_ext_s(('cn=changelog5,cn=config', 0, >> >> '(objectClass=*)'),{'attrlist': >> ['nsslapd-changelogmaxentries'], >> >> 'serverctrls': None,' >> >> clientctrls': None, 'escapehatch': 'i am sure'}) on >> instance TJAKO- >> >> THUIS"},) >> > Is this your server telling you that the entry >> cn=changelog5,cn=config >> > does not exist? That sounds pretty bad... try running this >> (change IPA- >> > EXAMPLE-COM to the name of your dirsrv instance): >> > >> > ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket >> -Y EXTERNAL >> > -b cn=changelog5,cn=config -s base >> >> This is fine actually. This is a bug we are looking into. It >> should not >> be outputting that exception. It just checking if a backend >> has a >> changelog, not that it's expecting one. This can be ignored. >> >> Mark >> >> Can you share a link to this bug? >> > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > >> >> >> >> >> > >> >> { >> >> "source": "ipahealthcheck.ipa.certs", >> >> "check": "IPACertTracking", >> >> "result": "CRITICAL", >> >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", >> >> "when": "20221119105634Z", >> >> "duration": "0.721246", >> >> "kw": { >> >> "exception": "bus, object_path and dbus_interface >> must not be >> >> None." >> >> } >> >> }, >> > These look like D-Bus-related errors. Is certmonger started, >> can you >> > run 'getcert list'? >> > >> -- >> Directory Server Development Team >> > -- > Directory Server Development Team > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >