Kees Bakker wrote:
On 06-11-19 17:16, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Thanks Rob
Here are my findings, mainly as an FYI.
On the CA master it reports the following (which I have to investigate)
[
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Unknown certmonger id 20190412141828",
"key": "20190412141828"
},
"uuid": "f3d6ccb9-fb82-49ac-aa02-f485d08826c3",
"duration": "0.980984",
"when": "20191106095349Z",
"check": "IPACertTracking",
"result": "WARNING"
}
]
To see what the request is run:
# getcert list -i 20190412141828
It may be perfectly fine, it is acceptable to track other certs on the
master, it is just unexpected so healthcheck is warning about it.
The warning is for a cert that I created for a FreeRADIUS server (which
I never actually managed to get working).
The warning is a bit annoying because the cert is alright, I think. It is
listed with "status: MONITORING".
So, I think that the cert is not unknown to certmonger, despite what the
error suggests.
I am considering to create another cert for some other service, in the same
manner as I did for freeRADIUS. That new cert would then also be flagged with
a warning.
This particular check isn't verifying whether the cert is ok. It is
checking that the tracking for the standard IPA certs is done correctly.
If there are additional certs it has no way to know to validate them so
warns instead. We discourage running additional software on an IPA
master. Using a master to manage a cert is probably fine but is a grey
area. I chose to warn as a heads-up, to keep a paranoid stance of
warning on anything unexpected.
I have an idea to create an ignore list but it probably won't see the
light of day for a while.
This is good feedback, thanks.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
