Patterson, David via FreeIPA-users wrote:
Hello,
Â
Running RHEL 7.9, ipa 4.6.8-5 and freeipa-healthcheck 0.3-2 backported
for RHEL 7.
Â
Ipa healthcheck output
[
 {
   "source": "ipahealthcheck.ipa.certs",
   "kw": {
     "msg": "Unable to retrieve cert 'host/idm2.X.Y' from
'/etc/pki/nssdb': Failed to get host/idm2.X.Y",
     "nickname": "host/idm2.X.Y",
     "dbdir": "/etc/pki/nssdb",
     "key": "20191122115414",
     "error": "Failed to get host/idm2.X.Y"
   },
   "uuid": "64d9b118-e588-4dbb-99e1-6ef11e495ed5",
   "duration": "0.382404",
   "when": "20210107005140Z",
   "check": "IPACertfileExpirationCheck",
   "result": "ERROR"
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "kw": {
     "msg": "Unknown certmonger id 20191122115414",
     "key": "20191122115414"
   },
   "uuid": "1b4bba70-08e0-43dc-8984-657cc47fd339",
   "duration": "1.109733",
   "when": "20210107005142Z",
   "check": "IPACertTracking",
   "result": "WARNING"
 }
]
Â
How do I correct these issues?
They are two sides of the same coin. You have an unknown certificate
request being tracked by certmonger.
In this case the nickname host/idm2.X.Y in /etc/pki/nssdb.
Looks like there isn't a nickname with this value in that NSS database
which explains the first error.
I suspect that someone did some manual tracking changes and got this one
wrong. It isn't something that IPA would have configured.
Is it safe to delete this tracking request? Probably. But I'd double and
triple check before doing so. Its unclear what the original purpose of
creating it was.
rob