Hi, For your bughunt as to how the ca_name=IPA went missing from that file. I got exactly the same errors (including all the untracked certs) after I removed an ipa-server from the domain. The ipa-healthcheck dumped all the previous errors back on my screen.
I was glad I saved all the commands to fix them. All the errors are gone again, but if you want to see if you can reproduce that error try adding a replica to a EL8.7 freeipa domain,(run ipa-healthcheck) then remove it and see if ipa-healthcheck starts to complain. Rob Op ma 21 nov. 2022 om 19:53 schreef Rob Crittenden <rcrit...@redhat.com>: > Rob Verduijn wrote: > > Wow....thanx...that was it (the ca_name=IPA entry in the file that > > contains 'KDCs_PKINIT_Certs' in the dir /var/lib/certmonger/requestswith > > Identifying this type of issue might be pretty tricky. I'll use the > ticket you opened to poke at it. I'd rather not have to parse the > request files directly as some data may be cached in the daemon. > > I'm not even sure how a request can be tracked without a CA in certmonger. > > Glad things are working in any case. > > rob > > > > > Now it's only the known bug error message > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > > > > ipa-healthcheck > > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such > > object', 'ctrls': [], 'ldap_request': > > "search_ext_s(('cn=changelog5,cn=config', 0, > > '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], > > 'serverctrls': None, ' > > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > > TJAKO-THUIS"},) > > [] > > Fortunately this only appears on stderr so doesn't end up in the > generated file if you run healthcheck in a timer or use the > --output-file option. > > rob > > > > > Thanx Rob > > > > Rob :-P (I really need to remember to reply to all) > > > > Op ma 21 nov. 2022 om 16:37 schreef Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>>: > > > > Rob Verduijn wrote: > > > sorry posted the answer in a dm. > > > I'll post any weird stuff in it here when rob finds it > > > > It's interesting that the IPACertmongerCA check fails when run with > the > > rest but passes individually. It at least shows that the three > > pre-defined CAs we care about look right. > > > > I noticed that the PKINIT request has no CA associated with it. I > > suppose it's possible that is confusing things. > > > > If you look in /var/lib/certmonger/requests for the file that > contains > > KDCs_PKINIT_Certs see what, if any, value there is for ca_name. If > there > > isn't one you can stop certmonger and manually add ca_name=IPA then > > restart it. > > > > Give it time to get going then try ipa-healthcheck again. > > > > rob > > > > > > > > . > > > > > > Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden > > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>: > > > > > > Rob Verduijn via FreeIPA-users wrote: > > > > thanx > > > > > > > > any clues about the other errors? > > > > > > It isn't a dbus issue because the other certmonger requests > > are working > > > fine. In the past this has been caused by missing expected > > (assumed) > > > entries. > > > > > > Can you share the output of getcert-list and getcert list-cas? > > > > > > and: > > > > > > ipa-healthcheck --debug --source ipahealthcheck.ipa.certs > --check > > > IPACertmongerCA > > > > > > rob > > > > > > > > > > > ipa-healthcheck > > > > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No > > such > > > > object', 'ctrls': [], 'ldap_request': > > > > "search_ext_s(('cn=changelog5,cn=config', 0, > > > > '(objectClass=*)'),{'attrlist': > ['nsslapd-changelogmaxentries'], > > > > 'serverctrls': None, ' > > > > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > > > > TJAKO-THUIS"},) > > > > [ > > > > { > > > > "source": "ipahealthcheck.ipa.certs", > > > > "check": "IPACertTracking", > > > > "result": "CRITICAL", > > > > "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > > > > "when": "20221119105634Z", > > > > "duration": "0.721246", > > > > "kw": { > > > > "exception": "bus, object_path and dbus_interface must > > not be > > > None." > > > > } > > > > }, > > > > { > > > > "source": "ipahealthcheck.ipa.certs", > > > > "check": "IPACertDNSSAN", > > > > "result": "CRITICAL", > > > > "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", > > > > "when": "20221119105635Z", > > > > "duration": "0.683679", > > > > "kw": { > > > > "exception": "bus, object_path and dbus_interface must > > not be > > > None." > > > > } > > > > }, > > > > { > > > > "source": "ipahealthcheck.ipa.certs", > > > > "check": "IPACertRevocation", > > > > "result": "CRITICAL", > > > > "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", > > > > "when": "20221119105638Z", > > > > "duration": "0.655251", > > > > "kw": { > > > > "exception": "bus, object_path and dbus_interface must > > not be > > > None." > > > > } > > > > }, > > > > { > > > > "source": "ipahealthcheck.ipa.files", > > > > "check": "IPAFileCheck", > > > > "result": "CRITICAL", > > > > "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", > > > > "when": "20221119105639Z", > > > > "duration": "0.083885", > > > > "kw": { > > > > "exception": "bus, object_path and dbus_interface must > > not be > > > None." > > > > } > > > > } > > > > ] > > > > > > > > > > > > > > > > Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds > > > <marey...@redhat.com <mailto:marey...@redhat.com> > > <mailto:marey...@redhat.com <mailto:marey...@redhat.com>> > > > > <mailto:marey...@redhat.com <mailto:marey...@redhat.com> > > <mailto:marey...@redhat.com <mailto:marey...@redhat.com>>>>: > > > > > > > > > > > > On 11/20/22 10:51 AM, Rob Verduijn wrote: > > > >> > > > >> > > > >> Op zo 20 nov. 2022 15:57 schreef Mark Reynolds > > > >> <marey...@redhat.com <mailto:marey...@redhat.com> > > <mailto:marey...@redhat.com <mailto:marey...@redhat.com>> > > > <mailto:marey...@redhat.com <mailto:marey...@redhat.com> > > <mailto:marey...@redhat.com <mailto:marey...@redhat.com>>>>: > > > >> > > > >> > > > >> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users > > wrote: > > > >> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn > via > > > >> FreeIPA-users > > > >> > wrote: > > > >> >> Hi all, > > > >> >> > > > >> >> I managed to get rid of another error but I > > still have > > > >> plenty erros > > > >> >> left. > > > >> >> > > > >> >> Any help would be apreciated. > > > >> >> > > > >> >> ipa-healthcheck errors remaining: > > > >> >> > > > >> >> ipa-healthcheck > > > >> >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, > > 'desc': > > > >> 'No such > > > >> >> object', 'ctrls': [], 'ldap_request': > > > >> >> "search_ext_s(('cn=changelog5,cn=config', 0, > > > >> >> '(objectClass=*)'),{'attrlist': > > > >> ['nsslapd-changelogmaxentries'], > > > >> >> 'serverctrls': None,' > > > >> >> clientctrls': None, 'escapehatch': 'i am sure'}) > on > > > >> instance TJAKO- > > > >> >> THUIS"},) > > > >> > Is this your server telling you that the entry > > > >> cn=changelog5,cn=config > > > >> > does not exist? That sounds pretty bad... try > > running this > > > >> (change IPA- > > > >> > EXAMPLE-COM to the name of your dirsrv instance): > > > >> > > > > >> > ldapsearch -H > > ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket > > > >> -Y EXTERNAL > > > >> > -b cn=changelog5,cn=config -s base > > > >> > > > >> This is fine actually. This is a bug we are looking > > into. It > > > >> should not > > > >> be outputting that exception. It just checking if > > a backend > > > >> has a > > > >> changelog, not that it's expecting one. This can > > be ignored. > > > >> > > > >> Mark > > > >> > > > >> Can you share a link to this bug? > > > >> > > > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > > > > > > > >> > > > >> > > > >> > > > >> > > > >> > > > > >> >> { > > > >> >> "source": "ipahealthcheck.ipa.certs", > > > >> >> "check": "IPACertTracking", > > > >> >> "result": "CRITICAL", > > > >> >> "uuid": > "6bab1187-3285-4059-9f92-a6e8fba54d2f", > > > >> >> "when": "20221119105634Z", > > > >> >> "duration": "0.721246", > > > >> >> "kw": { > > > >> >> "exception": "bus, object_path and > > dbus_interface > > > >> must not be > > > >> >> None." > > > >> >> } > > > >> >> }, > > > >> > These look like D-Bus-related errors. Is > certmonger > > > started, > > > >> can you > > > >> > run 'getcert list'? > > > >> > > > > >> -- > > > >> Directory Server Development Team > > > >> > > > > -- > > > > Directory Server Development Team > > > > > > > > > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > To unsubscribe send an email to > > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > Do not reply to spam, report it: > > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > > > > > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
