On Wed, Nov 07, 2018 at 01:04:05PM -0500, Rob Crittenden via FreeIPA-users wrote:
William Muriithi via FreeIPA-users wrote:
> Morning Rob
>>> What's the process for either removing or making it known?
>>
>> I'll add something to the program about this too but for now you can run:
>>
>> # getcert list -i 20170919231606
>>
>> That will tell us what it is. It is perfectly fine to have certmonger
>> track other certs on the system. I display unexpected once as a
>> just-in-case.
>>
>> It's supposed to display as just a warning. I'll fix that too since it
>> is a little alarming.
> This is the result I got on my end.:
>
> Failures:
>
> Unable to find request for serial 268304424
> Unable to find request for serial 268304426
> Unable to find request for serial 268304425
> Unable to find request for serial 268304423
I'm not sure if this is an invalid test or a real error. I'm still
waiting on the dogtag team to respond to
https://bugzilla.redhat.com/show_bug.cgi?id=1641804 (your results are
slightly different but of the same theme).
Request IDs are not related to serial numbers of issued
certificates. They just happen to coincide at the beginning. I
responded to the BZ with more details.
> Subject
O=ENG.EXAMPLE.COM,CN=zinc.eng.example.com and template
subject
>
CN=lithium.eng.example.com,O=ENG.EXAMPLE.COM do not match for serial
> 77
Same as above.
I don't know yet if this is a harbinger of doom or a red herring :-/
Probably an incorrect assumption. Most likely not a harbinger of
doom. Rob can you please follow up with details on how this check
is conducted?
Cheers,
Fraser
> > Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/key3.db are 0600 and
> > should be 0640
> > Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/cert8.db are 0600 and
> > should be 0640
> > Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/secmod.db are 0600
> > and should be 0640
>
> Yeah, this is probably fine. I may need to tweak the test to not look
> for specific permissions but rather check what is required and that it
> isn't too permissive.
>
> > Warnings:
> > Unknown certmonger ids: 20170812234301
>
> This one is fine. I may make a note to add more details to this. It is
> basically just a heads-up in case you have something tracked you forgot
> about.
>
> > [root@lithium bin]#
> >
> > The system so far seem healthy. Did these file permission had a
> > stricter access that was relaxed later? I have never attempted to
> > change them, at least impicitly
>
> It may be related to different versions of IPA or something. This test
> is intended to ensure the ownership and permissions aren't wildly either
> too permissive or too restrictive. It apparently still needs some work.
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...