Hello,
After todays update I noticed I am now running rocky 8.7
freeipa was updated just fine and is working nicely.
However after running ipa-healthcheck I was treated with a HUGE amount of errors.
After some digging I found that certmonger stopped tracking of all my certs.
Figuring out how to get all the certs tracked again took quite some time examples or hints on how to do this are sadly missing in ipa-healthcheck they would have been very usefull
So now all untracked certs are tracked and no longer in ipa-healthcheck output. But there are still quite a few errors left which have no clue
Does anybody know how to fix the errors from ipa-healthcheck ? (see txt below)
Any help would be appreciated Rob
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "711d096f-c1a8-4528-873d-522498811fbf", "when": "20221118235210Z", "duration": "2.149582", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "CRITICAL", "uuid": "06997e50-52cd-4240-9b90-41cd7bf9e9f6", "when": "20221118235212Z", "duration": "2.599630", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "CRITICAL", "uuid": "5fe7388f-6ec6-433f-87df-4596eabee060", "when": "20221118235224Z", "duration": "2.801779", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertmongerCA", "result": "ERROR", "uuid": "7a588ee8-f3f0-4db4-91d0-b236a9dcbb81", "when": "20221118235224Z", "duration": "0.009275", "kw": { "key": "dogtag-ipa-ca-renew-agent-reuse", "msg": "Certmonger CA '{key}' missing" } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "CRITICAL", "uuid": "2e82818e-7210-4cf2-bd99-7490841348c6", "when": "20221118235226Z", "duration": "0.199291", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } } ]
Hi all,
I managed to get rid of another error but I still have plenty erros left.
Any help would be apreciated.
ipa-healthcheck errors remaining:
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "CRITICAL", "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", "when": "20221119105635Z", "duration": "0.683679", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "CRITICAL", "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", "when": "20221119105638Z", "duration": "0.655251", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "CRITICAL", "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", "when": "20221119105639Z", "duration": "0.083885", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } } ]
Op za 19 nov. 2022 om 01:01 schreef Rob Verduijn rob.verduijn@gmail.com:
Hello,
After todays update I noticed I am now running rocky 8.7
freeipa was updated just fine and is working nicely.
However after running ipa-healthcheck I was treated with a HUGE amount of errors.
After some digging I found that certmonger stopped tracking of all my certs.
Figuring out how to get all the certs tracked again took quite some time examples or hints on how to do this are sadly missing in ipa-healthcheck they would have been very usefull
So now all untracked certs are tracked and no longer in ipa-healthcheck output. But there are still quite a few errors left which have no clue
Does anybody know how to fix the errors from ipa-healthcheck ? (see txt below)
Any help would be appreciated Rob
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "711d096f-c1a8-4528-873d-522498811fbf", "when": "20221118235210Z", "duration": "2.149582", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "CRITICAL", "uuid": "06997e50-52cd-4240-9b90-41cd7bf9e9f6", "when": "20221118235212Z", "duration": "2.599630", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "CRITICAL", "uuid": "5fe7388f-6ec6-433f-87df-4596eabee060", "when": "20221118235224Z", "duration": "2.801779", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertmongerCA", "result": "ERROR", "uuid": "7a588ee8-f3f0-4db4-91d0-b236a9dcbb81", "when": "20221118235224Z", "duration": "0.009275", "kw": { "key": "dogtag-ipa-ca-renew-agent-reuse", "msg": "Certmonger CA '{key}' missing" } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "CRITICAL", "uuid": "2e82818e-7210-4cf2-bd99-7490841348c6", "when": "20221118235226Z", "duration": "0.199291", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } } ]
On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users wrote:
Hi all,
I managed to get rid of another error but I still have plenty erros left.
Any help would be apreciated.
ipa-healthcheck errors remaining:
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO- THUIS"},)
Is this your server telling you that the entry cn=changelog5,cn=config does not exist? That sounds pretty bad... try running this (change IPA- EXAMPLE-COM to the name of your dirsrv instance):
ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -Y EXTERNAL -b cn=changelog5,cn=config -s base
{ "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } },
These look like D-Bus-related errors. Is certmonger started, can you run 'getcert list'?
On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote:
On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users wrote:
Hi all,
I managed to get rid of another error but I still have plenty erros left.
Any help would be apreciated.
ipa-healthcheck errors remaining:
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None,' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO- THUIS"},)
Is this your server telling you that the entry cn=changelog5,cn=config does not exist? That sounds pretty bad... try running this (change IPA- EXAMPLE-COM to the name of your dirsrv instance):
ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -Y EXTERNAL -b cn=changelog5,cn=config -s base
This is fine actually. This is a bug we are looking into. It should not be outputting that exception. It just checking if a backend has a changelog, not that it's expecting one. This can be ignored.
Mark
{ "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } },
These look like D-Bus-related errors. Is certmonger started, can you run 'getcert list'?
Op zo 20 nov. 2022 15:06 schreef Sam Morris sam@robots.org.uk:
On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users wrote:
Hi all,
I managed to get rid of another error but I still have plenty erros left.
Any help would be apreciated.
ipa-healthcheck errors remaining:
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO- THUIS"},)
Is this your server telling you that the entry cn=changelog5,cn=config does not exist? That sounds pretty bad... try running this (change IPA- EXAMPLE-COM to the name of your dirsrv instance):
ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -Y EXTERNAL -b cn=changelog5,cn=config -s base
Mark says this is a known bug
{ "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } },
These look like D-Bus-related errors. Is certmonger started, can you run 'getcert list'?
Yes i can, it was empty 2 days ago, ipa-healthcheck showed many errors related to this. Took me quite some effort to fix those but they are gone now and get cert-list now shows 9 certs.
There was also 2 ca-s missing from getcert list-cas, also mentioned by ipa-healthcheck also fixed after some serious googling
These errors all appeared after an update from 8.6 to 8.7
-- Sam Morris sam@robots.org.uk
Op zo 20 nov. 2022 15:57 schreef Mark Reynolds mareynol@redhat.com:
On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote:
On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users wrote:
Hi all,
I managed to get rid of another error but I still have plenty erros left.
Any help would be apreciated.
ipa-healthcheck errors remaining:
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None,' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO- THUIS"},)
Is this your server telling you that the entry cn=changelog5,cn=config does not exist? That sounds pretty bad... try running this (change IPA- EXAMPLE-COM to the name of your dirsrv instance):
ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -Y EXTERNAL -b cn=changelog5,cn=config -s base
This is fine actually. This is a bug we are looking into. It should not be outputting that exception. It just checking if a backend has a changelog, not that it's expecting one. This can be ignored.
Mark
Can you share a link to this bug?
{ "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } },
These look like D-Bus-related errors. Is certmonger started, can you run 'getcert list'?
-- Directory Server Development Team
On 11/20/22 10:51 AM, Rob Verduijn wrote:
Op zo 20 nov. 2022 15:57 schreef Mark Reynolds mareynol@redhat.com:
On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users > wrote: >> Hi all, >> >> I managed to get rid of another error but I still have plenty erros >> left. >> >> Any help would be apreciated. >> >> ipa-healthcheck errors remaining: >> >> ipa-healthcheck >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such >> object', 'ctrls': [], 'ldap_request': >> "search_ext_s(('cn=changelog5,cn=config', 0, >> '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], >> 'serverctrls': None,' >> clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO- >> THUIS"},) > Is this your server telling you that the entry cn=changelog5,cn=config > does not exist? That sounds pretty bad... try running this (change IPA- > EXAMPLE-COM to the name of your dirsrv instance): > > ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -Y EXTERNAL > -b cn=changelog5,cn=config -s base This is fine actually. This is a bug we are looking into. It should not be outputting that exception. It just checking if a backend has a changelog, not that it's expecting one. This can be ignored. Mark Can you share a link to this bug?
https://bugzilla.redhat.com/show_bug.cgi?id=2115254
> >> { >> "source": "ipahealthcheck.ipa.certs", >> "check": "IPACertTracking", >> "result": "CRITICAL", >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", >> "when": "20221119105634Z", >> "duration": "0.721246", >> "kw": { >> "exception": "bus, object_path and dbus_interface must not be >> None." >> } >> }, > These look like D-Bus-related errors. Is certmonger started, can you > run 'getcert list'? > -- Directory Server Development Team
thanx
any clues about the other errors?
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "CRITICAL", "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", "when": "20221119105635Z", "duration": "0.683679", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "CRITICAL", "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", "when": "20221119105638Z", "duration": "0.655251", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "CRITICAL", "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", "when": "20221119105639Z", "duration": "0.083885", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } } ]
Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds mareynol@redhat.com:
On 11/20/22 10:51 AM, Rob Verduijn wrote:
Op zo 20 nov. 2022 15:57 schreef Mark Reynolds mareynol@redhat.com:
On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote:
On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users wrote:
Hi all,
I managed to get rid of another error but I still have plenty erros left.
Any help would be apreciated.
ipa-healthcheck errors remaining:
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None,' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO- THUIS"},)
Is this your server telling you that the entry cn=changelog5,cn=config does not exist? That sounds pretty bad... try running this (change IPA- EXAMPLE-COM to the name of your dirsrv instance):
ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -Y EXTERNAL -b cn=changelog5,cn=config -s base
This is fine actually. This is a bug we are looking into. It should not be outputting that exception. It just checking if a backend has a changelog, not that it's expecting one. This can be ignored.
Mark
Can you share a link to this bug?
https://bugzilla.redhat.com/show_bug.cgi?id=2115254
{ "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } },
These look like D-Bus-related errors. Is certmonger started, can you run 'getcert list'?
-- Directory Server Development Team
--
Directory Server Development Team
On 11/20/22 3:39 PM, Rob Verduijn wrote:
thanx
any clues about the other errors?
Sorry I'm not that familiar with IPA - I'm just a Directory Server guy. I'm sure someone from the IPA team will respond tomorrow.
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "CRITICAL", "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", "when": "20221119105635Z", "duration": "0.683679", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "CRITICAL", "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", "when": "20221119105638Z", "duration": "0.655251", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "CRITICAL", "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", "when": "20221119105639Z", "duration": "0.083885", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } } ]
Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds mareynol@redhat.com:
On 11/20/22 10:51 AM, Rob Verduijn wrote:
Op zo 20 nov. 2022 15:57 schreef Mark Reynolds <mareynol@redhat.com>: On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users > wrote: >> Hi all, >> >> I managed to get rid of another error but I still have plenty erros >> left. >> >> Any help would be apreciated. >> >> ipa-healthcheck errors remaining: >> >> ipa-healthcheck >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such >> object', 'ctrls': [], 'ldap_request': >> "search_ext_s(('cn=changelog5,cn=config', 0, >> '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], >> 'serverctrls': None,' >> clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO- >> THUIS"},) > Is this your server telling you that the entry cn=changelog5,cn=config > does not exist? That sounds pretty bad... try running this (change IPA- > EXAMPLE-COM to the name of your dirsrv instance): > > ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -Y EXTERNAL > -b cn=changelog5,cn=config -s base This is fine actually. This is a bug we are looking into. It should not be outputting that exception. It just checking if a backend has a changelog, not that it's expecting one. This can be ignored. Mark Can you share a link to this bug?
https://bugzilla.redhat.com/show_bug.cgi?id=2115254
> >> { >> "source": "ipahealthcheck.ipa.certs", >> "check": "IPACertTracking", >> "result": "CRITICAL", >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", >> "when": "20221119105634Z", >> "duration": "0.721246", >> "kw": { >> "exception": "bus, object_path and dbus_interface must not be >> None." >> } >> }, > These look like D-Bus-related errors. Is certmonger started, can you > run 'getcert list'? > -- Directory Server Development Team
-- Directory Server Development Team
Rob Verduijn via FreeIPA-users wrote:
thanx
any clues about the other errors?
It isn't a dbus issue because the other certmonger requests are working fine. In the past this has been caused by missing expected (assumed) entries.
Can you share the output of getcert-list and getcert list-cas?
and:
ipa-healthcheck --debug --source ipahealthcheck.ipa.certs --check IPACertmongerCA
rob
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "CRITICAL", "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", "when": "20221119105635Z", "duration": "0.683679", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "CRITICAL", "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", "when": "20221119105638Z", "duration": "0.655251", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "CRITICAL", "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", "when": "20221119105639Z", "duration": "0.083885", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } } ]
Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds <mareynol@redhat.com mailto:mareynol@redhat.com>:
On 11/20/22 10:51 AM, Rob Verduijn wrote:
Op zo 20 nov. 2022 15:57 schreef Mark Reynolds <mareynol@redhat.com <mailto:mareynol@redhat.com>>: On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users > wrote: >> Hi all, >> >> I managed to get rid of another error but I still have plenty erros >> left. >> >> Any help would be apreciated. >> >> ipa-healthcheck errors remaining: >> >> ipa-healthcheck >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such >> object', 'ctrls': [], 'ldap_request': >> "search_ext_s(('cn=changelog5,cn=config', 0, >> '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], >> 'serverctrls': None,' >> clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO- >> THUIS"},) > Is this your server telling you that the entry cn=changelog5,cn=config > does not exist? That sounds pretty bad... try running this (change IPA- > EXAMPLE-COM to the name of your dirsrv instance): > > ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -Y EXTERNAL > -b cn=changelog5,cn=config -s base This is fine actually. This is a bug we are looking into. It should not be outputting that exception. It just checking if a backend has a changelog, not that it's expecting one. This can be ignored. Mark Can you share a link to this bug?
https://bugzilla.redhat.com/show_bug.cgi?id=2115254
> >> { >> "source": "ipahealthcheck.ipa.certs", >> "check": "IPACertTracking", >> "result": "CRITICAL", >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", >> "when": "20221119105634Z", >> "duration": "0.721246", >> "kw": { >> "exception": "bus, object_path and dbus_interface must not be >> None." >> } >> }, > These look like D-Bus-related errors. Is certmonger started, can you > run 'getcert list'? > -- Directory Server Development Team
-- Directory Server Development Team
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sorry posted the answer in a dm. I'll post any weird stuff in it here when rob finds it
.
Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden rcritten@redhat.com:
Rob Verduijn via FreeIPA-users wrote:
thanx
any clues about the other errors?
It isn't a dbus issue because the other certmonger requests are working fine. In the past this has been caused by missing expected (assumed) entries.
Can you share the output of getcert-list and getcert list-cas?
and:
ipa-healthcheck --debug --source ipahealthcheck.ipa.certs --check IPACertmongerCA
rob
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "CRITICAL", "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", "when": "20221119105634Z", "duration": "0.721246", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "CRITICAL", "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", "when": "20221119105635Z", "duration": "0.683679", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "CRITICAL", "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", "when": "20221119105638Z", "duration": "0.655251", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "CRITICAL", "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", "when": "20221119105639Z", "duration": "0.083885", "kw": { "exception": "bus, object_path and dbus_interface must not be None." } } ]
Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds <mareynol@redhat.com mailto:mareynol@redhat.com>:
On 11/20/22 10:51 AM, Rob Verduijn wrote:
Op zo 20 nov. 2022 15:57 schreef Mark Reynolds <mareynol@redhat.com <mailto:mareynol@redhat.com>>: On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users > wrote: >> Hi all, >> >> I managed to get rid of another error but I still have plenty erros >> left. >> >> Any help would be apreciated. >> >> ipa-healthcheck errors remaining: >> >> ipa-healthcheck >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such >> object', 'ctrls': [], 'ldap_request': >> "search_ext_s(('cn=changelog5,cn=config', 0, >> '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], >> 'serverctrls': None,' >> clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO- >> THUIS"},) > Is this your server telling you that the entry cn=changelog5,cn=config > does not exist? That sounds pretty bad... try running this (change IPA- > EXAMPLE-COM to the name of your dirsrv instance): > > ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket -Y EXTERNAL > -b cn=changelog5,cn=config -s base This is fine actually. This is a bug we are looking into. It should not be outputting that exception. It just checking if a backend has a changelog, not that it's expecting one. This can be ignored. Mark Can you share a link to this bug?
https://bugzilla.redhat.com/show_bug.cgi?id=2115254
> >> { >> "source": "ipahealthcheck.ipa.certs", >> "check": "IPACertTracking", >> "result": "CRITICAL", >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", >> "when": "20221119105634Z", >> "duration": "0.721246", >> "kw": { >> "exception": "bus, object_path and dbus_interface must not be >> None." >> } >> }, > These look like D-Bus-related errors. Is certmonger started, can you > run 'getcert list'? > -- Directory Server Development Team
-- Directory Server Development Team
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
Rob Verduijn wrote:
sorry posted the answer in a dm. I'll post any weird stuff in it here when rob finds it
It's interesting that the IPACertmongerCA check fails when run with the rest but passes individually. It at least shows that the three pre-defined CAs we care about look right.
I noticed that the PKINIT request has no CA associated with it. I suppose it's possible that is confusing things.
If you look in /var/lib/certmonger/requests for the file that contains KDCs_PKINIT_Certs see what, if any, value there is for ca_name. If there isn't one you can stop certmonger and manually add ca_name=IPA then restart it.
Give it time to get going then try ipa-healthcheck again.
rob
.
Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Rob Verduijn via FreeIPA-users wrote: > thanx > > any clues about the other errors? It isn't a dbus issue because the other certmonger requests are working fine. In the past this has been caused by missing expected (assumed) entries. Can you share the output of getcert-list and getcert list-cas? and: ipa-healthcheck --debug --source ipahealthcheck.ipa.certs --check IPACertmongerCA rob > > ipa-healthcheck > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such > object', 'ctrls': [], 'ldap_request': > "search_ext_s(('cn=changelog5,cn=config', 0, > '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], > 'serverctrls': None, ' > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > TJAKO-THUIS"},) > [ > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertTracking", > "result": "CRITICAL", > "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > "when": "20221119105634Z", > "duration": "0.721246", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertDNSSAN", > "result": "CRITICAL", > "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", > "when": "20221119105635Z", > "duration": "0.683679", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "CRITICAL", > "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", > "when": "20221119105638Z", > "duration": "0.655251", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > }, > { > "source": "ipahealthcheck.ipa.files", > "check": "IPAFileCheck", > "result": "CRITICAL", > "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", > "when": "20221119105639Z", > "duration": "0.083885", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > } > ] > > > > Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds <mareynol@redhat.com <mailto:mareynol@redhat.com> > <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>: > > > On 11/20/22 10:51 AM, Rob Verduijn wrote: >> >> >> Op zo 20 nov. 2022 15:57 schreef Mark Reynolds >> <mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>: >> >> >> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: >> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via >> FreeIPA-users >> > wrote: >> >> Hi all, >> >> >> >> I managed to get rid of another error but I still have >> plenty erros >> >> left. >> >> >> >> Any help would be apreciated. >> >> >> >> ipa-healthcheck errors remaining: >> >> >> >> ipa-healthcheck >> >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': >> 'No such >> >> object', 'ctrls': [], 'ldap_request': >> >> "search_ext_s(('cn=changelog5,cn=config', 0, >> >> '(objectClass=*)'),{'attrlist': >> ['nsslapd-changelogmaxentries'], >> >> 'serverctrls': None,' >> >> clientctrls': None, 'escapehatch': 'i am sure'}) on >> instance TJAKO- >> >> THUIS"},) >> > Is this your server telling you that the entry >> cn=changelog5,cn=config >> > does not exist? That sounds pretty bad... try running this >> (change IPA- >> > EXAMPLE-COM to the name of your dirsrv instance): >> > >> > ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket >> -Y EXTERNAL >> > -b cn=changelog5,cn=config -s base >> >> This is fine actually. This is a bug we are looking into. It >> should not >> be outputting that exception. It just checking if a backend >> has a >> changelog, not that it's expecting one. This can be ignored. >> >> Mark >> >> Can you share a link to this bug? >> > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > >> >> >> >> >> > >> >> { >> >> "source": "ipahealthcheck.ipa.certs", >> >> "check": "IPACertTracking", >> >> "result": "CRITICAL", >> >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", >> >> "when": "20221119105634Z", >> >> "duration": "0.721246", >> >> "kw": { >> >> "exception": "bus, object_path and dbus_interface >> must not be >> >> None." >> >> } >> >> }, >> > These look like D-Bus-related errors. Is certmonger started, >> can you >> > run 'getcert list'? >> > >> -- >> Directory Server Development Team >> > -- > Directory Server Development Team > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >
Wow....thanx...that was it (the ca_name=IPA entry in the file that contains 'KDCs_PKINIT_Certs' in the dir /var/lib/certmonger/requestswith
Now it's only the known bug error message https://bugzilla.redhat.com/show_bug.cgi?id=2115254
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) []
Thanx Rob
Rob :-P (I really need to remember to reply to all)
Op ma 21 nov. 2022 om 16:37 schreef Rob Crittenden rcritten@redhat.com:
Rob Verduijn wrote:
sorry posted the answer in a dm. I'll post any weird stuff in it here when rob finds it
It's interesting that the IPACertmongerCA check fails when run with the rest but passes individually. It at least shows that the three pre-defined CAs we care about look right.
I noticed that the PKINIT request has no CA associated with it. I suppose it's possible that is confusing things.
If you look in /var/lib/certmonger/requests for the file that contains KDCs_PKINIT_Certs see what, if any, value there is for ca_name. If there isn't one you can stop certmonger and manually add ca_name=IPA then restart it.
Give it time to get going then try ipa-healthcheck again.
rob
.
Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Rob Verduijn via FreeIPA-users wrote: > thanx > > any clues about the other errors? It isn't a dbus issue because the other certmonger requests are
working
fine. In the past this has been caused by missing expected (assumed) entries. Can you share the output of getcert-list and getcert list-cas? and: ipa-healthcheck --debug --source ipahealthcheck.ipa.certs --check IPACertmongerCA rob > > ipa-healthcheck > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such > object', 'ctrls': [], 'ldap_request': > "search_ext_s(('cn=changelog5,cn=config', 0, > '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], > 'serverctrls': None, ' > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > TJAKO-THUIS"},) > [ > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertTracking", > "result": "CRITICAL", > "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > "when": "20221119105634Z", > "duration": "0.721246", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertDNSSAN", > "result": "CRITICAL", > "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", > "when": "20221119105635Z", > "duration": "0.683679", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "CRITICAL", > "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", > "when": "20221119105638Z", > "duration": "0.655251", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > }, > { > "source": "ipahealthcheck.ipa.files", > "check": "IPAFileCheck", > "result": "CRITICAL", > "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", > "when": "20221119105639Z", > "duration": "0.083885", > "kw": { > "exception": "bus, object_path and dbus_interface must not be None." > } > } > ] > > > > Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds <mareynol@redhat.com <mailto:mareynol@redhat.com> > <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>: > > > On 11/20/22 10:51 AM, Rob Verduijn wrote: >> >> >> Op zo 20 nov. 2022 15:57 schreef Mark Reynolds >> <mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>: >> >> >> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: >> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via >> FreeIPA-users >> > wrote: >> >> Hi all, >> >> >> >> I managed to get rid of another error but I still have >> plenty erros >> >> left. >> >> >> >> Any help would be apreciated. >> >> >> >> ipa-healthcheck errors remaining: >> >> >> >> ipa-healthcheck >> >> args=({'msgtype': 101, 'msgid': 3, 'result': 32,
'desc':
>> 'No such >> >> object', 'ctrls': [], 'ldap_request': >> >> "search_ext_s(('cn=changelog5,cn=config', 0, >> >> '(objectClass=*)'),{'attrlist': >> ['nsslapd-changelogmaxentries'], >> >> 'serverctrls': None,' >> >> clientctrls': None, 'escapehatch': 'i am sure'}) on >> instance TJAKO- >> >> THUIS"},) >> > Is this your server telling you that the entry >> cn=changelog5,cn=config >> > does not exist? That sounds pretty bad... try running
this
>> (change IPA- >> > EXAMPLE-COM to the name of your dirsrv instance): >> > >> > ldapsearch -H
ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket
>> -Y EXTERNAL >> > -b cn=changelog5,cn=config -s base >> >> This is fine actually. This is a bug we are looking
into. It
>> should not >> be outputting that exception. It just checking if a
backend
>> has a >> changelog, not that it's expecting one. This can be
ignored.
>> >> Mark >> >> Can you share a link to this bug? >> > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > >> >> >> >> >> > >> >> { >> >> "source": "ipahealthcheck.ipa.certs", >> >> "check": "IPACertTracking", >> >> "result": "CRITICAL", >> >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", >> >> "when": "20221119105634Z", >> >> "duration": "0.721246", >> >> "kw": { >> >> "exception": "bus, object_path and
dbus_interface
>> must not be >> >> None." >> >> } >> >> }, >> > These look like D-Bus-related errors. Is certmonger started, >> can you >> > run 'getcert list'? >> > >> -- >> Directory Server Development Team >> > -- > Directory Server Development Team > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >
Rob Verduijn wrote:
Wow....thanx...that was it (the ca_name=IPA entry in the file that contains 'KDCs_PKINIT_Certs' in the dir /var/lib/certmonger/requestswith
Identifying this type of issue might be pretty tricky. I'll use the ticket you opened to poke at it. I'd rather not have to parse the request files directly as some data may be cached in the daemon.
I'm not even sure how a request can be tracked without a CA in certmonger.
Glad things are working in any case.
rob
Now it's only the known bug error message https://bugzilla.redhat.com/show_bug.cgi?id=2115254
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) []
Fortunately this only appears on stderr so doesn't end up in the generated file if you run healthcheck in a timer or use the --output-file option.
rob
Thanx Rob
Rob :-P (I really need to remember to reply to all)
Op ma 21 nov. 2022 om 16:37 schreef Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Rob Verduijn wrote: > sorry posted the answer in a dm. > I'll post any weird stuff in it here when rob finds it It's interesting that the IPACertmongerCA check fails when run with the rest but passes individually. It at least shows that the three pre-defined CAs we care about look right. I noticed that the PKINIT request has no CA associated with it. I suppose it's possible that is confusing things. If you look in /var/lib/certmonger/requests for the file that contains KDCs_PKINIT_Certs see what, if any, value there is for ca_name. If there isn't one you can stop certmonger and manually add ca_name=IPA then restart it. Give it time to get going then try ipa-healthcheck again. rob > > . > > Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>: > > Rob Verduijn via FreeIPA-users wrote: > > thanx > > > > any clues about the other errors? > > It isn't a dbus issue because the other certmonger requests are working > fine. In the past this has been caused by missing expected (assumed) > entries. > > Can you share the output of getcert-list and getcert list-cas? > > and: > > ipa-healthcheck --debug --source ipahealthcheck.ipa.certs --check > IPACertmongerCA > > rob > > > > > ipa-healthcheck > > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such > > object', 'ctrls': [], 'ldap_request': > > "search_ext_s(('cn=changelog5,cn=config', 0, > > '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], > > 'serverctrls': None, ' > > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > > TJAKO-THUIS"},) > > [ > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertTracking", > > "result": "CRITICAL", > > "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > > "when": "20221119105634Z", > > "duration": "0.721246", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > }, > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertDNSSAN", > > "result": "CRITICAL", > > "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", > > "when": "20221119105635Z", > > "duration": "0.683679", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > }, > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertRevocation", > > "result": "CRITICAL", > > "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", > > "when": "20221119105638Z", > > "duration": "0.655251", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > }, > > { > > "source": "ipahealthcheck.ipa.files", > > "check": "IPAFileCheck", > > "result": "CRITICAL", > > "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", > > "when": "20221119105639Z", > > "duration": "0.083885", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > } > > ] > > > > > > > > Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds > <mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>> > > <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>>: > > > > > > On 11/20/22 10:51 AM, Rob Verduijn wrote: > >> > >> > >> Op zo 20 nov. 2022 15:57 schreef Mark Reynolds > >> <mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>> > <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>>: > >> > >> > >> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: > >> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via > >> FreeIPA-users > >> > wrote: > >> >> Hi all, > >> >> > >> >> I managed to get rid of another error but I still have > >> plenty erros > >> >> left. > >> >> > >> >> Any help would be apreciated. > >> >> > >> >> ipa-healthcheck errors remaining: > >> >> > >> >> ipa-healthcheck > >> >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': > >> 'No such > >> >> object', 'ctrls': [], 'ldap_request': > >> >> "search_ext_s(('cn=changelog5,cn=config', 0, > >> >> '(objectClass=*)'),{'attrlist': > >> ['nsslapd-changelogmaxentries'], > >> >> 'serverctrls': None,' > >> >> clientctrls': None, 'escapehatch': 'i am sure'}) on > >> instance TJAKO- > >> >> THUIS"},) > >> > Is this your server telling you that the entry > >> cn=changelog5,cn=config > >> > does not exist? That sounds pretty bad... try running this > >> (change IPA- > >> > EXAMPLE-COM to the name of your dirsrv instance): > >> > > >> > ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket > >> -Y EXTERNAL > >> > -b cn=changelog5,cn=config -s base > >> > >> This is fine actually. This is a bug we are looking into. It > >> should not > >> be outputting that exception. It just checking if a backend > >> has a > >> changelog, not that it's expecting one. This can be ignored. > >> > >> Mark > >> > >> Can you share a link to this bug? > >> > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > > > >> > >> > >> > >> > >> > > >> >> { > >> >> "source": "ipahealthcheck.ipa.certs", > >> >> "check": "IPACertTracking", > >> >> "result": "CRITICAL", > >> >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > >> >> "when": "20221119105634Z", > >> >> "duration": "0.721246", > >> >> "kw": { > >> >> "exception": "bus, object_path and dbus_interface > >> must not be > >> >> None." > >> >> } > >> >> }, > >> > These look like D-Bus-related errors. Is certmonger > started, > >> can you > >> > run 'getcert list'? > >> > > >> -- > >> Directory Server Development Team > >> > > -- > > Directory Server Development Team > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > >
Hi,
For your bughunt as to how the ca_name=IPA went missing from that file. I got exactly the same errors (including all the untracked certs) after I removed an ipa-server from the domain. The ipa-healthcheck dumped all the previous errors back on my screen.
I was glad I saved all the commands to fix them. All the errors are gone again, but if you want to see if you can reproduce that error try adding a replica to a EL8.7 freeipa domain,(run ipa-healthcheck) then remove it and see if ipa-healthcheck starts to complain.
Rob
Op ma 21 nov. 2022 om 19:53 schreef Rob Crittenden rcritten@redhat.com:
Rob Verduijn wrote:
Wow....thanx...that was it (the ca_name=IPA entry in the file that contains 'KDCs_PKINIT_Certs' in the dir /var/lib/certmonger/requestswith
Identifying this type of issue might be pretty tricky. I'll use the ticket you opened to poke at it. I'd rather not have to parse the request files directly as some data may be cached in the daemon.
I'm not even sure how a request can be tracked without a CA in certmonger.
Glad things are working in any case.
rob
Now it's only the known bug error message https://bugzilla.redhat.com/show_bug.cgi?id=2115254
ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0, '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], 'serverctrls': None, ' clientctrls': None, 'escapehatch': 'i am sure'}) on instance TJAKO-THUIS"},) []
Fortunately this only appears on stderr so doesn't end up in the generated file if you run healthcheck in a timer or use the --output-file option.
rob
Thanx Rob
Rob :-P (I really need to remember to reply to all)
Op ma 21 nov. 2022 om 16:37 schreef Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Rob Verduijn wrote: > sorry posted the answer in a dm. > I'll post any weird stuff in it here when rob finds it It's interesting that the IPACertmongerCA check fails when run with
the
rest but passes individually. It at least shows that the three pre-defined CAs we care about look right. I noticed that the PKINIT request has no CA associated with it. I suppose it's possible that is confusing things. If you look in /var/lib/certmonger/requests for the file that
contains
KDCs_PKINIT_Certs see what, if any, value there is for ca_name. If
there
isn't one you can stop certmonger and manually add ca_name=IPA then restart it. Give it time to get going then try ipa-healthcheck again. rob > > . > > Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>: > > Rob Verduijn via FreeIPA-users wrote: > > thanx > > > > any clues about the other errors? > > It isn't a dbus issue because the other certmonger requests are working > fine. In the past this has been caused by missing expected (assumed) > entries. > > Can you share the output of getcert-list and getcert list-cas? > > and: > > ipa-healthcheck --debug --source ipahealthcheck.ipa.certs
--check
> IPACertmongerCA > > rob > > > > > ipa-healthcheck > > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such > > object', 'ctrls': [], 'ldap_request': > > "search_ext_s(('cn=changelog5,cn=config', 0, > > '(objectClass=*)'),{'attrlist':
['nsslapd-changelogmaxentries'],
> > 'serverctrls': None, ' > > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > > TJAKO-THUIS"},) > > [ > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertTracking", > > "result": "CRITICAL", > > "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > > "when": "20221119105634Z", > > "duration": "0.721246", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > }, > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertDNSSAN", > > "result": "CRITICAL", > > "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", > > "when": "20221119105635Z", > > "duration": "0.683679", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > }, > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertRevocation", > > "result": "CRITICAL", > > "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", > > "when": "20221119105638Z", > > "duration": "0.655251", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > }, > > { > > "source": "ipahealthcheck.ipa.files", > > "check": "IPAFileCheck", > > "result": "CRITICAL", > > "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", > > "when": "20221119105639Z", > > "duration": "0.083885", > > "kw": { > > "exception": "bus, object_path and dbus_interface must not be > None." > > } > > } > > ] > > > > > > > > Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds > <mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>> > > <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>>: > > > > > > On 11/20/22 10:51 AM, Rob Verduijn wrote: > >> > >> > >> Op zo 20 nov. 2022 15:57 schreef Mark Reynolds > >> <mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>> > <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com> <mailto:mareynol@redhat.com <mailto:mareynol@redhat.com>>>>: > >> > >> > >> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: > >> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn
via
> >> FreeIPA-users > >> > wrote: > >> >> Hi all, > >> >> > >> >> I managed to get rid of another error but I still have > >> plenty erros > >> >> left. > >> >> > >> >> Any help would be apreciated. > >> >> > >> >> ipa-healthcheck errors remaining: > >> >> > >> >> ipa-healthcheck > >> >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': > >> 'No such > >> >> object', 'ctrls': [], 'ldap_request': > >> >> "search_ext_s(('cn=changelog5,cn=config', 0, > >> >> '(objectClass=*)'),{'attrlist': > >> ['nsslapd-changelogmaxentries'], > >> >> 'serverctrls': None,' > >> >> clientctrls': None, 'escapehatch': 'i am sure'})
on
> >> instance TJAKO- > >> >> THUIS"},) > >> > Is this your server telling you that the entry > >> cn=changelog5,cn=config > >> > does not exist? That sounds pretty bad... try running this > >> (change IPA- > >> > EXAMPLE-COM to the name of your dirsrv instance): > >> > > >> > ldapsearch -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket > >> -Y EXTERNAL > >> > -b cn=changelog5,cn=config -s base > >> > >> This is fine actually. This is a bug we are looking into. It > >> should not > >> be outputting that exception. It just checking if a backend > >> has a > >> changelog, not that it's expecting one. This can be ignored. > >> > >> Mark > >> > >> Can you share a link to this bug? > >> > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > > > >> > >> > >> > >> > >> > > >> >> { > >> >> "source": "ipahealthcheck.ipa.certs", > >> >> "check": "IPACertTracking", > >> >> "result": "CRITICAL", > >> >> "uuid":
"6bab1187-3285-4059-9f92-a6e8fba54d2f",
> >> >> "when": "20221119105634Z", > >> >> "duration": "0.721246", > >> >> "kw": { > >> >> "exception": "bus, object_path and dbus_interface > >> must not be > >> >> None." > >> >> } > >> >> }, > >> > These look like D-Bus-related errors. Is
certmonger
> started, > >> can you > >> > run 'getcert list'? > >> > > >> -- > >> Directory Server Development Team > >> > > -- > > Directory Server Development Team > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > >
freeipa-users@lists.fedorahosted.org