Rob Verduijn wrote: > Wow....thanx...that was it (the ca_name=IPA entry in the file that > contains 'KDCs_PKINIT_Certs' in the dir /var/lib/certmonger/requestswith
Identifying this type of issue might be pretty tricky. I'll use the ticket you opened to poke at it. I'd rather not have to parse the request files directly as some data may be cached in the daemon. I'm not even sure how a request can be tracked without a CA in certmonger. Glad things are working in any case. rob > > Now it's only the known bug error message > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > > ipa-healthcheck > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such > object', 'ctrls': [], 'ldap_request': > "search_ext_s(('cn=changelog5,cn=config', 0, > '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], > 'serverctrls': None, ' > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > TJAKO-THUIS"},) > [] Fortunately this only appears on stderr so doesn't end up in the generated file if you run healthcheck in a timer or use the --output-file option. rob > > Thanx Rob > > Rob :-P (I really need to remember to reply to all) > > Op ma 21 nov. 2022 om 16:37 schreef Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>>: > > Rob Verduijn wrote: > > sorry posted the answer in a dm. > > I'll post any weird stuff in it here when rob finds it > > It's interesting that the IPACertmongerCA check fails when run with the > rest but passes individually. It at least shows that the three > pre-defined CAs we care about look right. > > I noticed that the PKINIT request has no CA associated with it. I > suppose it's possible that is confusing things. > > If you look in /var/lib/certmonger/requests for the file that contains > KDCs_PKINIT_Certs see what, if any, value there is for ca_name. If there > isn't one you can stop certmonger and manually add ca_name=IPA then > restart it. > > Give it time to get going then try ipa-healthcheck again. > > rob > > > > > . > > > > Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>: > > > > Rob Verduijn via FreeIPA-users wrote: > > > thanx > > > > > > any clues about the other errors? > > > > It isn't a dbus issue because the other certmonger requests > are working > > fine. In the past this has been caused by missing expected > (assumed) > > entries. > > > > Can you share the output of getcert-list and getcert list-cas? > > > > and: > > > > ipa-healthcheck --debug --source ipahealthcheck.ipa.certs --check > > IPACertmongerCA > > > > rob > > > > > > > > ipa-healthcheck > > > args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No > such > > > object', 'ctrls': [], 'ldap_request': > > > "search_ext_s(('cn=changelog5,cn=config', 0, > > > '(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'], > > > 'serverctrls': None, ' > > > clientctrls': None, 'escapehatch': 'i am sure'}) on instance > > > TJAKO-THUIS"},) > > > [ > > > { > > > "source": "ipahealthcheck.ipa.certs", > > > "check": "IPACertTracking", > > > "result": "CRITICAL", > > > "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > > > "when": "20221119105634Z", > > > "duration": "0.721246", > > > "kw": { > > > "exception": "bus, object_path and dbus_interface must > not be > > None." > > > } > > > }, > > > { > > > "source": "ipahealthcheck.ipa.certs", > > > "check": "IPACertDNSSAN", > > > "result": "CRITICAL", > > > "uuid": "b13b939b-9b8d-4893-ba31-da2dd203551a", > > > "when": "20221119105635Z", > > > "duration": "0.683679", > > > "kw": { > > > "exception": "bus, object_path and dbus_interface must > not be > > None." > > > } > > > }, > > > { > > > "source": "ipahealthcheck.ipa.certs", > > > "check": "IPACertRevocation", > > > "result": "CRITICAL", > > > "uuid": "a235463c-85cd-4277-8ee8-a10a0fcc6e5c", > > > "when": "20221119105638Z", > > > "duration": "0.655251", > > > "kw": { > > > "exception": "bus, object_path and dbus_interface must > not be > > None." > > > } > > > }, > > > { > > > "source": "ipahealthcheck.ipa.files", > > > "check": "IPAFileCheck", > > > "result": "CRITICAL", > > > "uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7", > > > "when": "20221119105639Z", > > > "duration": "0.083885", > > > "kw": { > > > "exception": "bus, object_path and dbus_interface must > not be > > None." > > > } > > > } > > > ] > > > > > > > > > > > > Op zo 20 nov. 2022 om 17:08 schreef Mark Reynolds > > <marey...@redhat.com <mailto:marey...@redhat.com> > <mailto:marey...@redhat.com <mailto:marey...@redhat.com>> > > > <mailto:marey...@redhat.com <mailto:marey...@redhat.com> > <mailto:marey...@redhat.com <mailto:marey...@redhat.com>>>>: > > > > > > > > > On 11/20/22 10:51 AM, Rob Verduijn wrote: > > >> > > >> > > >> Op zo 20 nov. 2022 15:57 schreef Mark Reynolds > > >> <marey...@redhat.com <mailto:marey...@redhat.com> > <mailto:marey...@redhat.com <mailto:marey...@redhat.com>> > > <mailto:marey...@redhat.com <mailto:marey...@redhat.com> > <mailto:marey...@redhat.com <mailto:marey...@redhat.com>>>>: > > >> > > >> > > >> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users > wrote: > > >> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via > > >> FreeIPA-users > > >> > wrote: > > >> >> Hi all, > > >> >> > > >> >> I managed to get rid of another error but I > still have > > >> plenty erros > > >> >> left. > > >> >> > > >> >> Any help would be apreciated. > > >> >> > > >> >> ipa-healthcheck errors remaining: > > >> >> > > >> >> ipa-healthcheck > > >> >> args=({'msgtype': 101, 'msgid': 3, 'result': 32, > 'desc': > > >> 'No such > > >> >> object', 'ctrls': [], 'ldap_request': > > >> >> "search_ext_s(('cn=changelog5,cn=config', 0, > > >> >> '(objectClass=*)'),{'attrlist': > > >> ['nsslapd-changelogmaxentries'], > > >> >> 'serverctrls': None,' > > >> >> clientctrls': None, 'escapehatch': 'i am sure'}) on > > >> instance TJAKO- > > >> >> THUIS"},) > > >> > Is this your server telling you that the entry > > >> cn=changelog5,cn=config > > >> > does not exist? That sounds pretty bad... try > running this > > >> (change IPA- > > >> > EXAMPLE-COM to the name of your dirsrv instance): > > >> > > > >> > ldapsearch -H > ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket > > >> -Y EXTERNAL > > >> > -b cn=changelog5,cn=config -s base > > >> > > >> This is fine actually. This is a bug we are looking > into. It > > >> should not > > >> be outputting that exception. It just checking if > a backend > > >> has a > > >> changelog, not that it's expecting one. This can > be ignored. > > >> > > >> Mark > > >> > > >> Can you share a link to this bug? > > >> > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2115254 > > > > > >> > > >> > > >> > > >> > > >> > > > >> >> { > > >> >> "source": "ipahealthcheck.ipa.certs", > > >> >> "check": "IPACertTracking", > > >> >> "result": "CRITICAL", > > >> >> "uuid": "6bab1187-3285-4059-9f92-a6e8fba54d2f", > > >> >> "when": "20221119105634Z", > > >> >> "duration": "0.721246", > > >> >> "kw": { > > >> >> "exception": "bus, object_path and > dbus_interface > > >> must not be > > >> >> None." > > >> >> } > > >> >> }, > > >> > These look like D-Bus-related errors. Is certmonger > > started, > > >> can you > > >> > run 'getcert list'? > > >> > > > >> -- > > >> Directory Server Development Team > > >> > > > -- > > > Directory Server Development Team > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
