[Freeipa-users] Re: KRA installation problem

Fri, 07 Apr 2023 12:45:18 -0700 

Martin Jackson via FreeIPA-users <[email protected]>
writes:

> The "unexpected cert" warnings are of long standing and  are because I
> have certmonger-managed certs for cockpit on the controller.

I do have an ansible playbook to add these cert requests to the ignore
configuration:

  # Another WARNING is generated for the custom tls certificate
  # for cockpit - that needs to be ignored with
  # [excludes]\nkey=20210910141452 (certmonger request id)
  - name: get the certificate request for cockpit from certmonger
    ansible.builtin.command:
      # -l gives only the filename of the request
      cmd: grep -lr cockpit
      chdir: /var/lib/certmonger/requests
    register: cert_request
    # Run the task in check mode too - we gather data...
    check_mode: false
    # Don't report changes in any case
    changed_when: false                                                         
                                                     # And we don't fail
    failed_when: false

  # In our installation we do have only ONE certificate extra.
  # So, let's just use the first(only) file found.
  # If that assumption changes, we need to change the tasks...
  - name: store certificate request id if found
    ansible.builtin.set_fact:
      request_id: "{{ cert_request.stdout_lines | first }}"
      when_changed: false
    when: cert_request.rc == 0

  # Generate the file /etc/ipahealthcheck/ipahealthcheck.conf from
  # a template: Add a timeout (20 seconds instead of 10) and
  # exclude false positive checks (cockpit cert and temporary
  # errors during upgrades (e.g. Fedora 36->37). Fedora 36's
  # ipa-healthcheck can't connect to KRA on Fedora 37.
  - name: Add more time until timeout for ipa-healthcheck
    ansible.builtin.template:
      src: files/etc/ipahealthcheck.j2
      dest: /etc/ipahealthcheck/ipahealthcheck.conf
      mode: "0644"


The template file:
[default]
timeout=20

[excludes]
{% if request_id is defined %}
key={{ request_id }}
{% endif %}

-- 
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to