William Muriithi via FreeIPA-users wrote: > Morning Rob >>> What's the process for either removing or making it known? >> >> I'll add something to the program about this too but for now you can run: >> >> # getcert list -i 20170919231606 >> >> That will tell us what it is. It is perfectly fine to have certmonger >> track other certs on the system. I display unexpected once as a >> just-in-case. >> >> It's supposed to display as just a warning. I'll fix that too since it >> is a little alarming. > This is the result I got on my end.: > > Failures: > > Unable to find request for serial 268304424 > Unable to find request for serial 268304426 > Unable to find request for serial 268304425 > Unable to find request for serial 268304423
I'm not sure if this is an invalid test or a real error. I'm still waiting on the dogtag team to respond to https://bugzilla.redhat.com/show_bug.cgi?id=1641804 (your results are slightly different but of the same theme). > Subject O=ENG.EXAMPLE.COM,CN=zinc.eng.example.com and template subject > CN=lithium.eng.example.com,O=ENG.EXAMPLE.COM do not match for serial > 77 Same as above. I don't know yet if this is a harbinger of doom or a red herring :-/ > Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/key3.db are 0600 and > should be 0640 > Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/cert8.db are 0600 and > should be 0640 > Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/secmod.db are 0600 > and should be 0640 Yeah, this is probably fine. I may need to tweak the test to not look for specific permissions but rather check what is required and that it isn't too permissive. > Warnings: > Unknown certmonger ids: 20170812234301 This one is fine. I may make a note to add more details to this. It is basically just a heads-up in case you have something tracked you forgot about. > [root@lithium bin]# > > The system so far seem healthy. Did these file permission had a > stricter access that was relaxed later? I have never attempted to > change them, at least impicitly It may be related to different versions of IPA or something. This test is intended to ensure the ownership and permissions aren't wildly either too permissive or too restrictive. It apparently still needs some work. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
