On Wed, Nov 07, 2018 at 01:04:05PM -0500, Rob Crittenden via FreeIPA-users wrote: > William Muriithi via FreeIPA-users wrote: > > Morning Rob > >>> What's the process for either removing or making it known? > >> > >> I'll add something to the program about this too but for now you can run: > >> > >> # getcert list -i 20170919231606 > >> > >> That will tell us what it is. It is perfectly fine to have certmonger > >> track other certs on the system. I display unexpected once as a > >> just-in-case. > >> > >> It's supposed to display as just a warning. I'll fix that too since it > >> is a little alarming. > > This is the result I got on my end.: > > > > Failures: > > > > Unable to find request for serial 268304424 > > Unable to find request for serial 268304426 > > Unable to find request for serial 268304425 > > Unable to find request for serial 268304423 > > I'm not sure if this is an invalid test or a real error. I'm still > waiting on the dogtag team to respond to > https://bugzilla.redhat.com/show_bug.cgi?id=1641804 (your results are > slightly different but of the same theme). > Request IDs are not related to serial numbers of issued certificates. They just happen to coincide at the beginning. I responded to the BZ with more details.
> > Subject O=ENG.EXAMPLE.COM,CN=zinc.eng.example.com and template subject > > CN=lithium.eng.example.com,O=ENG.EXAMPLE.COM do not match for serial > > 77 > > Same as above. > > I don't know yet if this is a harbinger of doom or a red herring :-/ > Probably an incorrect assumption. Most likely not a harbinger of doom. Rob can you please follow up with details on how this check is conducted? Cheers, Fraser > > Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/key3.db are 0600 and > > should be 0640 > > Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/cert8.db are 0600 and > > should be 0640 > > Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/secmod.db are 0600 > > and should be 0640 > > Yeah, this is probably fine. I may need to tweak the test to not look > for specific permissions but rather check what is required and that it > isn't too permissive. > > > Warnings: > > Unknown certmonger ids: 20170812234301 > > This one is fine. I may make a note to add more details to this. It is > basically just a heads-up in case you have something tracked you forgot > about. > > > [root@lithium bin]# > > > > The system so far seem healthy. Did these file permission had a > > stricter access that was relaxed later? I have never attempted to > > change them, at least impicitly > > It may be related to different versions of IPA or something. This test > is intended to ensure the ownership and permissions aren't wildly either > too permissive or too restrictive. It apparently still needs some work. > > rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org