It turns out that also ipa01 (the CA renewal master) has issue: Unable to communicate with CMS (403)
I found this: https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg12594.html which mentions both "secret" and "requiredSecret" should be in /etc/pki/pki-tomcat/server.xml and match. on ipa01 (VERSION: 4.9.8, API_VERSION: 2.246), I see only "secret" on ipa02 (VERSION: 4.9.8, API_VERSION: 2.245) I see only "requiredSecret" Can this be important? Besides this, I ran ipa-healthcheck on both, the result is in attachment On Wed, 16 Nov 2022 at 10:46, Roberto Cornacchia < roberto.cornacc...@gmail.com> wrote: > I also found in the journal: > > Nov 16 07:40:11 ipa02.hq.spinque.com certmonger[10967]: 2022-11-16 > 07:40:11 [10967] Running enrollment/cadata helper > "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit". > Nov 16 07:40:11 ipa02.hq.spinque.com certmonger[10967]: Error opening > "/etc/httpd/alias/pwdfile.txt": No such file or directory. > > > On Wed, 16 Nov 2022 at 10:34, Roberto Cornacchia < > roberto.cornacc...@gmail.com> wrote: > >> No luck with that, unfortunately: >> >> # getcert resubmit -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >> cert-pki-ca' -v -w >> No request found that matched arguments. >> >> # getcert list >> Number of certificates and requests being tracked: 0. >> >> >> On Wed, 16 Nov 2022 at 01:40, Rob Crittenden <rcrit...@redhat.com> wrote: >> >>> Roberto Cornacchia via FreeIPA-users wrote: >>> > >>> > I'm not sure why it was not renewed, but now that it is in this >>> > state, what would be the correct procedure to renew it? >>> > >>> > >>> > The other IPA server is the CA renewal master and it does have a valid >>> > certificate. >>> >>> The CA subsystem certificates are renewed on the renewal master server >>> and put into LDAP. The CA clones will pick up the certificates from >>> there. You can force it to try to fetch it with: >>> >>> # getcert resubmit -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>> cert-pki-ca' -v -w >>> >>> With -v and -w you'll be able to follow along with the progress. >>> >>> rob >>> >>>
Expired Cert: ocsp_signing Expired Cert: subsystem Expired Cert: audit_signing Internal server error HTTPConnectionPool(host='ipa02.hq.spinque.com', port=8080): Max retries exceeded with url: /ca/rest/securityDomain/domainInfo (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb544361f28>: Failed to establish a new connection: [Errno 111] Connection refused',)) Internal server error HTTPSConnectionPool(host='ipa02.hq.spinque.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fb54422d1d0>: Failed to establish a new connection: [Errno 111] Connection refused',)) Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 [ { "source": "ipahealthcheck.meta.services", "check": "ipa_dnskeysyncd", "result": "ERROR", "uuid": "428f9e24-cc48-4db2-8600-f7561b191921", "when": "20221116113421Z", "duration": "0.010753", "kw": { "status": false, "msg": "ipa-dnskeysyncd: not running" } }, { "source": "ipahealthcheck.meta.services", "check": "ipa_otpd", "result": "ERROR", "uuid": "5e31e2cf-1acf-4432-86ef-a47608f6c73b", "when": "20221116113421Z", "duration": "0.010732", "kw": { "status": false, "msg": "ipa-otpd: not running" } }, { "source": "ipahealthcheck.meta.services", "check": "pki_tomcatd", "result": "ERROR", "uuid": "7b28f0b7-9f69-4840-af4a-daf8880ec668", "when": "20221116113421Z", "duration": "0.000768", "kw": { "status": false, "msg": "pki_tomcatd: not running" } }, { "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "ERROR", "uuid": "49d19a69-32b6-4ed0-9e89-ac71d94aa1ae", "when": "20221116113421Z", "duration": "0.160780", "kw": { "cert_id": "ocsp_signing", "expiry_date": "Nov 11 2022", "msg": "Certificate has ALREADY EXPIRED" } }, { "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "ERROR", "uuid": "b66e5599-328a-47ef-a31a-7333b8e89701", "when": "20221116113422Z", "duration": "0.318043", "kw": { "cert_id": "subsystem", "expiry_date": "Nov 11 2022", "msg": "Certificate has ALREADY EXPIRED" } }, { "source": "pki.server.healthcheck.certs.expiration", "check": "CASystemCertExpiryCheck", "result": "ERROR", "uuid": "3ebc2eff-021a-4a3a-9c02-3f62d2887c57", "when": "20221116113422Z", "duration": "0.394552", "kw": { "cert_id": "audit_signing", "expiry_date": "Nov 11 2022", "msg": "Certificate has ALREADY EXPIRED" } }, { "source": "pki.server.healthcheck.meta.connectivity", "check": "DogtagCACertsConnectivityCheck", "result": "CRITICAL", "uuid": "22171f05-6cca-4493-84fd-ad033dae3409", "when": "20221116113423Z", "duration": "0.014606", "kw": { "msg": "Internal server error. Is your CA subsystem and LDAP database up?", "instance_name": "pki-tomcat", "exception": "HTTPSConnectionPool(host='ipa02.hq.spinque.com', port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fb54422d1d0>: Failed to establish a new connection: [Errno 111] Connection refused',))" } }, { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConnectivityCheck", "result": "ERROR", "uuid": "a09deea7-958f-4937-bd87-08a962258359", "when": "20221116113423Z", "duration": "0.266179", "kw": { "msg": "Request for certificate failed, cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)" } }, { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "ERROR", "uuid": "c15f9b75-47c4-4408-a92a-36e27017c945", "when": "20221116113423Z", "duration": "0.166950", "kw": { "key": "DSREPLLE0005", "items": [ "Replication", "Agreement" ], "msg": "The replication agreement (ipa02.hq.spinque.com-to-ipa03.hq.spinque.com) under \"dc=hq,dc=spinque,dc=com\" is not in synchronization,\nbecause the consumer server is not reachable." } }, { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "ERROR", "uuid": "4a8b76fb-1a2b-4420-ae37-8736fb4a0666", "when": "20221116113424Z", "duration": "0.166973", "kw": { "key": "DSREPLLE0005", "items": [ "Replication", "Agreement" ], "msg": "The replication agreement (ipa02.hq.spinque.com-to-ipa03.hq.spinque.com) under \"o=ipaca\" is not in synchronization,\nbecause the consumer server is not reachable." } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "7b66d59b-70a0-40eb-b5d6-3361490c987a", "when": "20221116113424Z", "duration": "0.328724", "kw": { "key": "cert-file=/var/lib/ipa/ra-agent.pem, key-file=/var/lib/ipa/ra-agent.key, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/renew_ra_cert_pre, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ra_cert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "5d938181-74bc-48b4-822c-77d6840ee339", "when": "20221116113424Z", "duration": "0.330127", "kw": { "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"auditSigningCert cert-pki-ca\", template-profile=caSignedLogCert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "93a3977d-f118-490a-bd83-c2f115c8969c", "when": "20221116113424Z", "duration": "0.331468", "kw": { "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=ocspSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"ocspSigningCert cert-pki-ca\", template-profile=caOCSPCert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "d07fe28c-1a69-408d-8ec9-aad6e3d1736e", "when": "20221116113424Z", "duration": "0.332812", "kw": { "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=subsystemCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"subsystemCert cert-pki-ca\", template-profile=caSubsystemCert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "a3591351-d6e8-4eda-8369-1202c7734cdf", "when": "20221116113424Z", "duration": "0.334141", "kw": { "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"caSigningCert cert-pki-ca\", template-profile=caCACert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "4ac27592-1c76-4979-b173-92ab730f203e", "when": "20221116113424Z", "duration": "0.335484", "kw": { "key": "cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=Server-Cert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert \"Server-Cert cert-pki-ca\", template-profile=caServerCert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "c27052f3-66b2-43f6-9bc7-816a0749aa41", "when": "20221116113424Z", "duration": "0.336819", "kw": { "key": "cert-file=/var/lib/ipa/certs/httpd.crt, key-file=/var/lib/ipa/private/httpd.key, ca-name=IPA, cert-postsave-command=/usr/libexec/ipa/certmonger/restart_httpd", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "7cd05728-10ff-48d8-8200-e7e1d08835c1", "when": "20221116113424Z", "duration": "0.338150", "kw": { "key": "cert-database=/etc/dirsrv/slapd-HQ-SPINQUE-COM, cert-nickname=Server-Cert, ca-name=IPA, cert-postsave-command=/usr/libexec/ipa/certmonger/restart_dirsrv HQ-SPINQUE-COM", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "ERROR", "uuid": "b31b1b25-2909-4547-bc3a-b902e54cbf45", "when": "20221116113424Z", "duration": "0.339508", "kw": { "key": "cert-file=/var/kerberos/krb5kdc/kdc.crt, key-file=/var/kerberos/krb5kdc/kdc.key, ca-name=None, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_kdc_cert", "msg": "Expected certmonger tracking is missing for {key}. Automated renewal will not happen for this certificate" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "c4c329d7-a6c5-44ec-8fee-aa65073f2f8d", "when": "20221116113424Z", "duration": "0.329118", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "2334edd9-df32-42a9-9cc8-bdc618e5f1ae", "when": "20221116113424Z", "duration": "0.330471", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "65dcad1b-47cf-42df-8c5c-5e1290273886", "when": "20221116113424Z", "duration": "0.331785", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "66e9c9d4-a88f-4bc9-80c1-4d533694b2ff", "when": "20221116113424Z", "duration": "0.333117", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "731366cf-65e1-46b7-8a04-c137527f1f8a", "when": "20221116113424Z", "duration": "0.334439", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "3148ff11-498b-48dc-bf58-38682367090c", "when": "20221116113424Z", "duration": "0.335765", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "4b7a761a-aba5-4653-9442-6e444e07b8d0", "when": "20221116113424Z", "duration": "0.337106", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "d00c9878-0f81-4d75-b4f0-83fe244401d8", "when": "20221116113424Z", "duration": "0.338417", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "e5e77586-c5b7-498f-aa84-ea442606b423", "when": "20221116113424Z", "duration": "0.339691", "kw": { "key": null, "msg": "Found request id {key} but it is not trackedby certmonger!?" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPAOpenSSLChainValidation", "result": "ERROR", "uuid": "217ee434-4c2b-43e6-9fa7-3761c3284eb0", "when": "20221116113426Z", "duration": "0.013590", "kw": { "key": "/var/lib/ipa/ra-agent.pem", "reason": "O = HQ.SPINQUE.COM, CN = IPA RA\nerror 10 at 0 depth lookup: certificate has expired\n", "msg": "Certificate validation for {key} failed: {reason}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPARAAgent", "result": "ERROR", "uuid": "343f2c35-5d69-43f1-a21b-4a01f5be6eb9", "when": "20221116113426Z", "duration": "0.026160", "kw": { "expected": "2;1610547201;CN=Certificate Authority,O=HQ.SPINQUE.COM;CN=IPA RA,O=HQ.SPINQUE.COM", "got": "2;1610547213;CN=Certificate Authority,O=HQ.SPINQUE.COM;CN=IPA RA,O=HQ.SPINQUE.COM", "msg": "RA agent description does not match. Found {got} in LDAP and expected {expected}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "a345c2ae-4a66-484a-9099-7fa65c1b41e5", "when": "20221116113427Z", "duration": "0.351179", "kw": { "key": null, "serial": 1610547201, "error": "cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547201': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "d45b2b0f-d0ae-4ec9-a11a-9acf86524572", "when": "20221116113427Z", "duration": "0.405761", "kw": { "key": null, "serial": 1610547204, "error": "cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547204': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "e5053f4b-9f70-4e84-9c27-f50321523163", "when": "20221116113427Z", "duration": "0.462256", "kw": { "key": null, "serial": 1610547203, "error": "cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547203': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "b15253d7-9235-45be-8fbf-49154959bb18", "when": "20221116113427Z", "duration": "0.517687", "kw": { "key": null, "serial": 1610547202, "error": "cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547202': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "97d76838-5cf6-4d6e-960b-269f4eb955f4", "when": "20221116113427Z", "duration": "0.572890", "kw": { "key": null, "serial": 1, "error": "cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "c8c52c5f-f0a0-4232-bebf-e485e44490ce", "when": "20221116113427Z", "duration": "0.628354", "kw": { "key": null, "serial": 1610547208, "error": "cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547208': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "73f064ef-c4a2-4597-9646-0fda4eb59a19", "when": "20221116113427Z", "duration": "0.643545", "kw": { "key": null, "serial": 1610547207, "error": "cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547207': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "06897905-b5da-441c-96b7-7adbaf338ca1", "when": "20221116113427Z", "duration": "0.700798", "kw": { "key": null, "serial": 1610547206, "error": "cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547206': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "902cf106-d105-47bf-a0fe-7312d8a99553", "when": "20221116113427Z", "duration": "0.715412", "kw": { "key": null, "serial": 1610547209, "error": "cannot connect to 'https://ipa02.hq.spinque.com:443/ca/rest/certs/1610547209': [SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:2354)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertmongerCA", "result": "ERROR", "uuid": "0d4b5f20-c3bd-464c-a964-058e383aaf78", "when": "20221116113427Z", "duration": "0.003946", "kw": { "key": "dogtag-ipa-ca-renew-agent", "msg": "Certmonger CA '{key}' missing" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertmongerCA", "result": "ERROR", "uuid": "af8eca3d-5d18-4afe-83aa-96f7ddd84087", "when": "20221116113427Z", "duration": "0.005468", "kw": { "key": "dogtag-ipa-ca-renew-agent-reuse", "msg": "Certmonger CA '{key}' missing" } }, { "source": "ipahealthcheck.ipa.dna", "check": "IPADNARangeCheck", "result": "WARNING", "uuid": "bc767f75-2810-4f0b-881b-2eb3c63bf818", "when": "20221116113427Z", "duration": "0.265330", "kw": { "range_start": 0, "range_max": 0, "next_start": 0, "next_max": 0, "msg": "No DNA range defined. If no masters define a range then users and groups cannot be created." } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "b9f40c81-9da4-43ca-9b3c-3b5e1361d6bc", "when": "20221116113427Z", "duration": "0.041334", "kw": { "msg": "Got {count} ipa-ca A records, expected {expected}", "count": 1, "expected": 2 } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "WARNING", "uuid": "7e3bc7e8-2c03-477c-bce5-65002f787ed4", "when": "20221116113427Z", "duration": "0.009593", "kw": { "key": "_var_log_ipaupgrade.log_mode", "path": "/var/log/ipaupgrade.log", "type": "mode", "expected": "0600", "got": "0644", "msg": "Permissions of /var/log/ipaupgrade.log are too permissive: 0644 and should be 0600" } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "WARNING", "uuid": "917f4b06-3379-4d4d-80be-f7224ad8053f", "when": "20221116113427Z", "duration": "0.010298", "kw": { "key": "_var_log_kadmind.log_mode", "path": "/var/log/kadmind.log", "type": "mode", "expected": "0600", "got": "0640", "msg": "Permissions of /var/log/kadmind.log are too permissive: 0640 and should be 0600" } } ]
Internal server error 403 Client Error: 403 for url: http://ipa01.hq.spinque.com:80/ca/rest/securityDomain/domainInfo ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 [ { "source": "ipahealthcheck.dogtag.ca", "check": "DogtagCertsConnectivityCheck", "result": "ERROR", "uuid": "1622e91f-c41c-4fbe-8a93-3e46ab824dd5", "when": "20221116113450Z", "duration": "0.202681", "kw": { "msg": "Request for certificate failed, Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "aa8d51c5-edde-4f8f-a56a-9f9a424e3dc6", "when": "20221116113455Z", "duration": "0.512292", "kw": { "key": "20210624135015", "serial": 1610547213, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "f32f9960-03d4-43e0-be9d-de1bfbf7ea4e", "when": "20221116113455Z", "duration": "0.613556", "kw": { "key": "20210624135010", "serial": 1610547216, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "6e9e96fa-46ed-4201-aaf9-8c167e8b9325", "when": "20221116113455Z", "duration": "0.713730", "kw": { "key": "20210624135011", "serial": 1610547215, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "7887eb1c-ee79-42bb-bbe7-83f6b20c0385", "when": "20221116113455Z", "duration": "0.814992", "kw": { "key": "20210624135012", "serial": 1610547214, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "1374815b-f62d-42e3-b6ca-99a222f6ccc7", "when": "20221116113455Z", "duration": "0.918946", "kw": { "key": "20210624135013", "serial": 1, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "6c7b4e82-09ce-45e1-8a8b-231d7be0a178", "when": "20221116113456Z", "duration": "1.022137", "kw": { "key": "20210624135014", "serial": 1610547210, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "1bed5091-6351-4d5e-b92d-a658a6decb53", "when": "20221116113456Z", "duration": "1.078608", "kw": { "key": "20210624135017", "serial": 1610547205, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "c0e33965-1be7-48ca-8199-91fa35e7ca63", "when": "20221116113456Z", "duration": "1.178624", "kw": { "key": "20210624135016", "serial": 1610547211, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.certs", "check": "IPACertRevocation", "result": "ERROR", "uuid": "5f4af083-5e0f-4b88-a1f0-1e42e2084b5b", "when": "20221116113456Z", "duration": "1.234213", "kw": { "key": "20200729161416", "serial": 1610547212, "error": "Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)", "msg": "Request for certificate serial number {serial} in request {key} failed: {error}" } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "2783e8ac-2191-401f-a36e-069a23097b61", "when": "20221116113456Z", "duration": "0.033869", "kw": { "msg": "Got {count} ipa-ca A records, expected {expected}", "count": 1, "expected": 2 } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "WARNING", "uuid": "40c22923-b80f-41ae-b326-c819cdfb0591", "when": "20221116113456Z", "duration": "0.001666", "kw": { "key": "_var_log_ipaupgrade.log_mode", "path": "/var/log/ipaupgrade.log", "type": "mode", "expected": "0600", "got": "0644", "msg": "Permissions of /var/log/ipaupgrade.log are too permissive: 0644 and should be 0600" } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "WARNING", "uuid": "5f6efdfe-8994-445d-985e-30a5d49dd326", "when": "20221116113456Z", "duration": "0.001897", "kw": { "key": "_var_log_kadmind.log_mode", "path": "/var/log/kadmind.log", "type": "mode", "expected": "0600", "got": "0640", "msg": "Permissions of /var/log/kadmind.log are too permissive: 0640 and should be 0600" } } ]
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue