Kent C. Brodie via FreeIPA-users wrote: > I just upgraded a 2-node master/master ipa setup- basically rebuilt it > from Centos7 servers to Rocky8. > > (the standard process… remove a replica… rebuild it, install freeipa, > get back into replica mode, etc). > > Everything in the above process seems to have gone very well. Since I > am now on a RHEL8-like host, I ran ipa-healthcheck. > > > > Of the two nodes, I am only seeing one error, and only on one node > (error message below). > > A redhat access article claims this can be fixed by adding entries for > the host in the local hosts file (no go, no difference).
Do you have a pointer to that article? > > DNS records properly exist for the freeipa node as well as the ipa-ca > variant. (ipa-ca points to the IP addresses of both servers, been this > way for a long time) > > > > Can anyone explain the seriousness of the following error, and perhaps > also give me an idea what might fix it? It's really only important if you use the ACME service. > > > I of course would prefer my ipa-healthchecks to complete without any > issues. (Thanks all!) > > (side note: There ARE > > > [ > > { > > "source": "ipahealthcheck.ipa.certs", > > "check": "IPACertDNSSAN", > > "result": "ERROR", > > "uuid": "5576f96d-cee4-475e-b5ee-0466fe6bfa58", > > "when": "20221007165940Z", > > "duration": "0.422118", > > "kw": { > > "key": "20221006190547", > > "hostname": "ipa-ca.rgd.mcw.edu", > > "san": [ > > "voq.rgd.mcw.edu" > > ], > > "ca": "IPA", > > "profile": "caIPAserviceCert", > > "msg": "Certificate request id {key} with profile {profile} for CA > {ca} does not have a DNS SAN {san} matching name {hostname}" > > } > > } > > ] You can fix this with: getcert resubmit -i 20221006190547 -D voq.rgd.mcw.edu rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue