Kent C. Brodie via FreeIPA-users wrote:
> I just upgraded a 2-node master/master ipa setup- basically rebuilt it
> from Centos7 servers to Rocky8.
>
> (the standard process… remove a replica… rebuild it, install freeipa,
> get back into replica mode, etc).
>
> Everything in the above process seems to have gone very well. Since I
> am now on a RHEL8-like host, I ran ipa-healthcheck.
>
>
>
> Of the two nodes, I am only seeing one error, and only on one node
> (error message below).
>
> A redhat access article claims this can be fixed by adding entries for
> the host in the local hosts file (no go, no difference).
Do you have a pointer to that article?
>
> DNS records properly exist for the freeipa node as well as the ipa-ca
> variant. (ipa-ca points to the IP addresses of both servers, been this
> way for a long time)
>
>
>
> Can anyone explain the seriousness of the following error, and perhaps
> also give me an idea what might fix it?
It's really only important if you use the ACME service.
>
>
> I of course would prefer my ipa-healthchecks to complete without any
> issues. (Thanks all!)
>
> (side note: There ARE
>
>
> [
>
> {
>
> "source": "ipahealthcheck.ipa.certs",
>
> "check": "IPACertDNSSAN",
>
> "result": "ERROR",
>
> "uuid": "5576f96d-cee4-475e-b5ee-0466fe6bfa58",
>
> "when": "20221007165940Z",
>
> "duration": "0.422118",
>
> "kw": {
>
> "key": "20221006190547",
>
> "hostname": "ipa-ca.rgd.mcw.edu",
>
> "san": [
>
> "voq.rgd.mcw.edu"
>
> ],
>
> "ca": "IPA",
>
> "profile": "caIPAserviceCert",
>
> "msg": "Certificate request id {key} with profile {profile} for CA
> {ca} does not have a DNS SAN {san} matching name {hostname}"
>
> }
>
> }
>
> ]
You can fix this with: getcert resubmit -i 20221006190547 -D voq.rgd.mcw.edu
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
