Hi Rob,
ipa-healthcheck revealed several errors. I do not want to discuss all of
them in public because I do not want do disclose the domain/subdomain
names of our AD. (If you think the topic is worth to be discussed on the
mailing list, I will obfuscate them before posting.)
I would highly appreciate if you could take a quick look and tell me how
severe they are and what I can possibly do to fix them. I do not care
about KRA because we did not use the feature at this point in time. KRA
could be set up from scratch again - if possible. The replication
conflicts sound much more troubeling...
Cheers,
Ronald
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "DogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "29b240d3-a221-4bd5-a3d9-bae309ed33a7",
"when": "20200616210039Z",
"duration": "0.197320",
"kw": {
"key": "kra_transport",
"nickname": "transportCert cert-pki-kra",
"directive": "kra.transport.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'transportCert cert-pki-kra' does not
match
the value of kra.transport.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
--
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "DogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "c946f181-3745-499e-ab9c-289a4ffd36e9",
"when": "20200616210039Z",
"duration": "0.228105",
"kw": {
"key": "kra_storage",
"nickname": "storageCert cert-pki-kra",
"directive": "kra.storage.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'storageCert cert-pki-kra' does not
match the
value of kra.storage.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
--
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "DogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "0e59c252-53d8-449e-bc51-96b59e1a8acc",
"when": "20200616210039Z",
"duration": "0.260174",
"kw": {
"key": "kra_audit_signing",
"nickname": "auditSigningCert cert-pki-kra",
"directive": "kra.audit_signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'auditSigningCert cert-pki-kra' does not
match the value of kra.audit_signing.cert in
/var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
--
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "01b18546-b473-40fb-9923-bfb23f152038",
"when": "20200616210039Z",
"duration": "0.260025",
"kw": {
"key": "transportCert cert-pki-kra",
"directive": "ca.connector.KRA.transportCert",
"configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"msg": "Certificate 'transportCert cert-pki-kra' does not
match
the value of ca.connector.KRA.transportCert in
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
}
},
--
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "3dca4913-3a30-4bff-8326-3c51b0aeda8c",
"when": "20200616210039Z",
"duration": "0.003225",
"kw": {
"key":
"cn=certmap+nsuniqueid=46562a35-994311e7-bcd9e321-1436c40f,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict
cn=certmap,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "58623e97-e913-433a-9793-6bb233afdcc9",
"when": "20200616210039Z",
"duration": "0.003316",
"kw": {
"key": "cn=Certificate Identity Mapping
Administrators+nsuniqueid=46562a39-994311e7-bcd9e321-1436c40f,cn=privileges,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=Certificate Identity Mapping
Administrators,cn=privileges,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "7a76e510-8b3a-41f6-b329-fc474ca6202f",
"when": "20200616210039Z",
"duration": "0.003397",
"kw": {
"key": "cn=System: Modify Certmap
Configuration+nsuniqueid=46562a41-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=System: Modify Certmap
Configuration,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "e7588c0d-52d8-44d2-beec-4e3c31be3f4b",
"when": "20200616210039Z",
"duration": "0.003475",
"kw": {
"key": "cn=System: Read Certmap
Configuration+nsuniqueid=46562a45-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=System: Read Certmap
Configuration,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "f18f8d2e-b304-4345-8625-55e62ea0a6ca",
"when": "20200616210039Z",
"duration": "0.003552",
"kw": {
"key": "cn=System: Add Certmap
Rules+nsuniqueid=46562a48-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=System: Add Certmap
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "6509b40b-af09-4813-bd4f-330d8bc2ad07",
"when": "20200616210039Z",
"duration": "0.003626",
"kw": {
"key": "cn=System: Delete Certmap
Rules+nsuniqueid=46562a4c-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=System: Delete Certmap
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "8d2acff4-40ce-4275-ae63-a7a98be207c2",
"when": "20200616210039Z",
"duration": "0.003701",
"kw": {
"key": "cn=System: Modify Certmap
Rules+nsuniqueid=46562a50-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=System: Modify Certmap
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "0cf56b18-9f8f-47d1-b086-0ba928709bfc",
"when": "20200616210039Z",
"duration": "0.003794",
"kw": {
"key": "cn=System: Read Certmap
Rules+nsuniqueid=46562a54-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=System: Read Certmap
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "6eea376a-1e81-4c31-98b4-fd3d72695951",
"when": "20200616210039Z",
"duration": "0.003873",
"kw": {
"key": "cn=System: Modify External Group
Membership+nsuniqueid=46562a5d-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=System: Modify External Group
Membership,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "a4c35d33-31ca-452a-b13c-02ffd6d8eea3",
"when": "20200616210039Z",
"duration": "0.003953",
"kw": {
"key": "cn=System: Read External Group
Membership+nsuniqueid=46562a64-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=System: Read External Group
Membership,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "22033461-49bb-4836-ab2f-0a989d046c3f",
"when": "20200616210039Z",
"duration": "0.004030",
"kw": {
"key": "cn=System: Manage User Certificate
Mappings+nsuniqueid=46562a6b-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict cn=System: Manage User Certificate
Mappings,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "86a73d33-7c33-49b5-bf25-4d175fb45180",
"when": "20200616210039Z",
"duration": "0.004114",
"kw": {
"key":
"krbPrincipalName=WELLKNOWN/ANONYMOUS(a)LINUX.MYDOMAIN.AT+nsuniqueid=64bc25a5-994311e7-bcd9e321-1436c40f,cn=LINUX.MYDOMAIN.AT,cn=kerberos,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict
krbPrincipalName=WELLKNOWN/ANONYMOUS(a)LINUX.MYDOMAIN.AT,cn=LINUX.MYDOMAIN.AT,cn=kerberos,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationConflictCheck",
"result": "ERROR",
"uuid": "98d8b851-1d33-4b0f-9b6b-c204abe9a721",
"when": "20200616210039Z",
"duration": "0.004185",
"kw": {
"key":
"cn=KDCs_PKINIT_Certs+nsuniqueid=64bc259d-994311e7-bcd9e321-1436c40f,cn=certprofiles,cn=ca,dc=linux,dc=mydomain,dc=at",
"glue": false,
"conflict": "namingConflict
cn=KDCs_PKINIT_Certs,cn=certprofiles,cn=ca,dc=linux,dc=mydomain,dc=at",
"msg": "Replication conflict"
}
},
--
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "09f846de-b933-417b-a5b8-c018c7892e61",
"when": "20200616210043Z",
"duration": "2.086729",
"kw": {
"key": "20200603161155",
"msg": "Request for certificate failed, Certificate operation
cannot be completed: EXCEPTION (Certificate serial number 0xffd0008 not
found)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "2060d0c2-b602-4487-b5d9-6320c8488464",
"when": "20200616210043Z",
"duration": "2.158848",
"kw": {
"key": "20200603161428",
"msg": "Request for certificate failed, Certificate operation
cannot be completed: EXCEPTION (Certificate serial number 0xffd0009 not
found)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
--
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustDomainsCheck",
"result": "ERROR",
"uuid": "589666e0-0426-4dcd-8576-15ec5e1e37e0",
"when": "20200616210043Z",
"duration": "0.226474",
"kw": {
"key": "domain-list",
"sssctl": "/usr/sbin/sssctl",
"sssd_domains": "mydomain.at, buero.mydomain.at, org.mydomain.at,
tk.mydomain.at",
"trust_domains": "mydomain.at",
"msg": "{sssctl} {key} reports mismatch: sssd domains
{sssd_domains} trust domains {trust_domains}"
}