On 13-12-19 15:00, Rob Crittenden wrote:
> Kees Bakker wrote:
>> On 06-11-19 17:16, Rob Crittenden wrote:
>>> Kees Bakker via FreeIPA-users wrote:
>>>> Thanks Rob
>>>>
>>>> Here are my findings, mainly as an FYI.
>>>>
>>>> On the CA master it reports the following (which I have to investigate)
>>>> [
>>>> {
>>>> "source": "ipahealthcheck.ipa.certs",
>>>> "kw": {
>>>> "msg": "Unknown certmonger id 20190412141828",
>>>> "key": "20190412141828"
>>>> },
>>>> "uuid": "f3d6ccb9-fb82-49ac-aa02-f485d08826c3",
>>>> "duration": "0.980984",
>>>> "when": "20191106095349Z",
>>>> "check": "IPACertTracking",
>>>> "result": "WARNING"
>>>> }
>>>> ]
>>> To see what the request is run:
>>>
>>> # getcert list -i 20190412141828
>>>
>>> It may be perfectly fine, it is acceptable to track other certs on the
>>> master, it is just unexpected so healthcheck is warning about it.
>>>
>>
>> The warning is for a cert that I created for a FreeRADIUS server (which
>> I never actually managed to get working).
>>
>> The warning is a bit annoying because the cert is alright, I think. It is
>> listed with "status: MONITORING".
>> So, I think that the cert is not unknown to certmonger, despite what the
>> error suggests.
>>
>> I am considering to create another cert for some other service, in the same
>> manner as I did for freeRADIUS. That new cert would then also be flagged with
>> a warning.
>>
>
> This particular check isn't verifying whether the cert is ok. It is
> checking that the tracking for the standard IPA certs is done correctly.
>
> If there are additional certs it has no way to know to validate them so
> warns instead. We discourage running additional software on an IPA
> master. Using a master to manage a cert is probably fine but is a grey
> area. I chose to warn as a heads-up, to keep a paranoid stance of
> warning on anything unexpected.Ah, I see. So, I better not do that then. > > I have an idea to create an ignore list but it probably won't see the > light of day for a while. > > This is good feedback, thanks. Likewise.
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
