[Freeipa-users] Re: ipa-healthcheck: IPACertDNSSAN error

Fri, 07 Oct 2022 11:32:45 -0700 

Kent C. Brodie via FreeIPA-users wrote:
> I just upgraded a 2-node master/master ipa setup- basically rebuilt it
> from Centos7 servers to Rocky8.
> 
> (the standard process… remove a replica…   rebuild it, install freeipa,
> get back into replica mode, etc).
> 
> Everything in the above process seems to have gone very well.    Since I
> am now on a RHEL8-like host, I ran ipa-healthcheck.
> 
>  
> 
> Of the two nodes, I am only seeing one error, and only on one node
> (error message below).
> 
> A redhat access article claims this can be fixed by adding entries for
> the host in the local hosts file (no go, no difference).

Do you have a pointer to that article?

> 
> DNS records properly exist for the freeipa node as well as the ipa-ca
> variant.   (ipa-ca points to the IP addresses of both servers, been this
> way for a long time)
> 
>  
> 
> Can anyone explain the seriousness of the following error, and perhaps
> also give me an idea what might fix it?

It's really only important if you use the ACME service.

>  
> 
> I of course would prefer my ipa-healthchecks to complete without any
> issues.   (Thanks all!)
> 
> (side note:  There ARE
> 
> 
> [
> 
>   {
> 
>     "source": "ipahealthcheck.ipa.certs",
> 
>     "check": "IPACertDNSSAN",
> 
>     "result": "ERROR",
> 
>     "uuid": "5576f96d-cee4-475e-b5ee-0466fe6bfa58",
> 
>     "when": "20221007165940Z",
> 
>     "duration": "0.422118",
> 
>     "kw": {
> 
>       "key": "20221006190547",
> 
>       "hostname": "ipa-ca.rgd.mcw.edu",
> 
>       "san": [
> 
>         "voq.rgd.mcw.edu"
> 
>       ],
> 
>       "ca": "IPA",
> 
>       "profile": "caIPAserviceCert",
> 
>       "msg": "Certificate request id {key} with profile {profile} for CA
> {ca} does not have a DNS SAN {san} matching name {hostname}"
> 
>     }
> 
>   }
> 
> ]

You can fix this with: getcert resubmit -i 20221006190547 -D voq.rgd.mcw.edu

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to