On 05.01.22 20:16, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 05.01.22 14:48, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
Is it true that these "Errors" appear on an IPA server without CA role
present and can be ignored?
CRITICAL:
pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.OCSPSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.TKSSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.TPSSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck
CRITICAL: pki.server.healthcheck.meta.csconfig.CADogtagCertsConfigCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.KRADogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.OCSPDogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.TKSDogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.TPSDogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagCACertsConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagKRAConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagOCSPConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagTKSConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagTPSConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL: ipahealthcheck.ipa.roles.IPACRLManagerCheck: Unable to read
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg
There was an issue that pki.server checks though throw errors even if
the CA was unconfigured. I had to filter these out of healthcheck.
But the IPACRLManagerCheck should only run if a CA is configured so I'd
double check your roles. It seems to believe one is configured on this
host
The CA role is definitely not enabled on these machines. (but maybe
something went wrong some time ago when we migrated from CentOS 7 to OL
8.) Where should I have a closer look for leftovers?
For the CA take a look at /var/lib/ipa/sysrestore/sysrestore.state to
see if installed = True in the pki-tomcatd section. That indicates that
the CA was configured.
On these servers (without CA role) there is not even a pki-tomcatd section.
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
