Attached file here. Thanks,
//omar
On Fri, Mar 22, 2024 at 4:53 AM Florence Blanc-Renaud <[email protected]>
wrote:
> Hi,
>
> you can download freeipa-healthcheck and run ipa-healthcheck command on
> the master/replica, it would help you identify any inconsistency in the
> configuration.
>
> Otherwise, we need more info to help you. It looks like the LDAP server
> certificate on the master *ldap01*.app.uaap.maxar.com has been replaced
> (because its subject doesn't contain ldap01 but rather CN=*ldap*.
> app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US).
> If you are using a custom certificate, signed by an external CA (CN=Maxar
> DS Issuing CA East,DC=DS,DC=Maxar,DC=com), you need to add this external CA
> to ipa by running on the master:
> # ipa-cacert-manage install -t CT,C,C /path/to/externalCA.pem
> and then on all the nodes enrolled into IPA:
> # ipa-certupdate
>
> Those commands will download the external CA and put them in all the
> required places.
> flo
>
> On Thu, Mar 21, 2024 at 1:07 AM Omar Pagan via FreeIPA-users <
> [email protected]> wrote:
>
>> I don't get it, the cert is valid and the master seems to be working just
>> fine. Any ideas as to how I need to approach this issue? I can rebuild
>> the replicas and get the certs updates done on each of the replicas, but I
>> have tried that a few times and it seems to still be unhappy with it.
>> Thoughts?
>> --
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
>> To unsubscribe send an email to
>> [email protected]
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/[email protected]
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
[
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACAChainExpirationCheck",
"result": "WARNING",
"uuid": "86135083-ca5f-4c99-8df7-bf8dceebe32d",
"when": "20240325223300Z",
"duration": "0.038849",
"kw": {
"path": "/etc/ipa/ca.crt",
"key": "CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com",
"days": 16,
"msg": "CA '{key}' in {path} is expiring in {days} days."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACAChainExpirationCheck",
"result": "WARNING",
"uuid": "4d5a5480-c224-4b4e-a198-77ed3dc4bc76",
"when": "20240325223300Z",
"duration": "0.039217",
"kw": {
"path": "/etc/ipa/ca.crt",
"key": "CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com",
"days": 16,
"msg": "CA '{key}' in {path} is expiring in {days} days."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "99a11a04-d72d-4bfb-b657-f3e8ad560814",
"when": "20240325223300Z",
"duration": "0.022304",
"kw": {
"msg": "Expected SRV record missing",
"key": "_ldap._tcp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "a6a819d6-36f5-4b55-8401-f96e3dc1f81e",
"when": "20240325223300Z",
"duration": "0.023585",
"kw": {
"msg": "Expected SRV record missing",
"key": "_kerberos._tcp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "f285434b-22f8-498e-9f1c-d1121a654910",
"when": "20240325223300Z",
"duration": "0.024776",
"kw": {
"msg": "Expected SRV record missing",
"key": "_kerberos._udp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b3eadb58-8810-4449-91e6-38b5a5b4f41d",
"when": "20240325223300Z",
"duration": "0.025921",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos-master._tcp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "30bf299a-7a7a-420f-96d0-e529fda80b97",
"when": "20240325223300Z",
"duration": "0.027155",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_kerberos-master._udp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "04ba70ee-0a95-4a3e-8111-bf8349145810",
"when": "20240325223300Z",
"duration": "0.028385",
"kw": {
"msg": "Expected SRV record missing",
"key": "_kpasswd._tcp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "589992a5-dd37-466c-8ea9-d65e86ad2cb7",
"when": "20240325223300Z",
"duration": "0.029580",
"kw": {
"msg": "Expected SRV record missing",
"key": "_kpasswd._udp.app.uaap.maxar.com.:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "ed9edcaa-aee1-4c5d-92fb-762092093c0c",
"when": "20240325223300Z",
"duration": "0.033754",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.app.uaap.maxar.com.:krb5srv:m:tcp:ldap01.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "ceb44633-72dc-4499-a178-60be4730b4af",
"when": "20240325223300Z",
"duration": "0.033771",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.app.uaap.maxar.com.:krb5srv:m:udp:ldap01.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "dedc1327-9c6d-4d9f-856e-a63759c660f5",
"when": "20240325223300Z",
"duration": "0.033783",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.app.uaap.maxar.com.:krb5srv:m:tcp:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "36923ecc-645a-44ed-b1a0-f47bcc18e4ee",
"when": "20240325223300Z",
"duration": "0.033794",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.app.uaap.maxar.com.:krb5srv:m:udp:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "cac8f44b-0521-4c2d-a6c5-5c0e7ca154b6",
"when": "20240325223300Z",
"duration": "0.035046",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kpasswd.app.uaap.maxar.com.:krb5srv:m:tcp:ldap01.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "efc1a698-c5ae-4430-adee-448f9ecad98e",
"when": "20240325223300Z",
"duration": "0.035062",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kpasswd.app.uaap.maxar.com.:krb5srv:m:udp:ldap01.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "4b79a32f-b297-420c-8593-986173d7b9f7",
"when": "20240325223300Z",
"duration": "0.035074",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kpasswd.app.uaap.maxar.com.:krb5srv:m:tcp:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "f59c6c92-8006-4e7a-b3cc-3e6d6c359cbe",
"when": "20240325223300Z",
"duration": "0.035084",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kpasswd.app.uaap.maxar.com.:krb5srv:m:udp:ldap03.app.uaap.maxar.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "9a26c6d1-a8e1-4d7b-826d-12a272d4e167",
"when": "20240325223300Z",
"duration": "0.040260",
"kw": {
"key": "ipa_ca_non_server_10.194.82.224",
"ipaddr": "10.194.82.224",
"msg": "Unexpected ipa-ca address {ipaddr}"
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "a336eb1a-92cd-473f-87ea-955c35acd26e",
"when": "20240325223300Z",
"duration": "0.040285",
"kw": {
"key": "ipa_ca_missing_ldap01.app.uaap.maxar.com",
"server": "ldap01.app.uaap.maxar.com",
"ipaddr": "192.168.3.200",
"msg": "expected ipa-ca to contain {ipaddr} for {server}"
}
}
]
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
