Is there a definition for the severities? Are all warnings something that does not require action? If they are, I'd rather ignore them as I've plugged this into Nagios and I only want alerts that require me to do something (right now I'm just checking that `ipa-healthcheck --failures-only` is empty. Right now this warning is triggering my monitoring- but if I ignore alerts until this is cleared, I could miss other problems).

There are a lot of ways to look at this, but IMHO I'd suggest something like:

* "System is not working correctly"
* "Action needs to be taken to prevent failure" (it's often useful to have an early warning threshold and a later critical threshold- taking care of warnings during business hours will probably reduce the amount of criticals that wake someone up)
* "Informative"

This way your monitoring system can alert on the first two, but the third one shows up somewhere, but doesn't send alerts.

...

I think I'll change my monitoring to just alert on CRITICAL and ERROR, hopefully that won't be a bad idea.

Cheers,

Álex


On Sun, Dec 8, 2019 at 7:08 PM Rob Crittenden <rcritten@redhat.com> wrote:
Alex Corcoles via FreeIPA-users wrote:
> Hi,
>
> I've been running ipa-healthcheck for a while and this morning I started
> to get a few failures:
>
>   {
>     "source": "ipahealthcheck.ipa.certs",
>     "kw": {
>       "msg": "Request id 20180929065627 expires in 27 days",
>       "expiration_date": "20200104123511Z",
>       "days": 27,
>       "key": "20180929065627"
>     },
>     "uuid": "02af62dc-ac2c-48a6-951f-884e119be9a7",
>     "duration": "0.046374",
>     "when": "20191208113322Z",
>     "check": "IPACertmongerExpirationCheck",
>     "result": "WARNING"
>   },
>   {
>     "source": "ipahealthcheck.ipa.certs",
>     "kw": {
>       "msg": "Request id 20180929065620 expires in 27 days",
>       "expiration_date": "20200104123511Z",
>       "days": 27,
>       "key": "20180929065620"
>     },
>     "uuid": "ce377ee1-6f8a-4921-9c33-01c6d82e91ff",
>     "duration": "0.148693",
>     "when": "20191208113323Z",
>     "check": "IPACertfileExpirationCheck",
>     "result": "WARNING"
>   },
>
> I get a pair of these for a couple of certs. Should WARNING results be
> ignored (because those should be renewed automatically, perhaps?)? I was
> running --failures-only, but perhaps I should run --severity
> CRITICAL,ERROR for monitoring?

These are there so you are aware that an expiration event is coming up.
Just keep an eye on it, it should resolve itself when certmonger thinks
its time. This is reported as a heads-up and a just-in-case-certmonger
falls over (or if you have no CA renewal manager, for example).

rob



--
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net