Kees Bakker wrote:
On 13-12-19 15:00, Rob Crittenden wrote:
> Kees Bakker wrote:
>> On 06-11-19 17:16, Rob Crittenden wrote:
>>> Kees Bakker via FreeIPA-users wrote:
>>>> Thanks Rob
>>>>
>>>> Here are my findings, mainly as an FYI.
>>>>
>>>> On the CA master it reports the following (which I have to investigate)
>>>> [
>>>> {
>>>> "source": "ipahealthcheck.ipa.certs",
>>>> "kw": {
>>>> "msg": "Unknown certmonger id
20190412141828",
>>>> "key": "20190412141828"
>>>> },
>>>> "uuid":
"f3d6ccb9-fb82-49ac-aa02-f485d08826c3",
>>>> "duration": "0.980984",
>>>> "when": "20191106095349Z",
>>>> "check": "IPACertTracking",
>>>> "result": "WARNING"
>>>> }
>>>> ]
>>> To see what the request is run:
>>>
>>> # getcert list -i 20190412141828
>>>
>>> It may be perfectly fine, it is acceptable to track other certs on the
>>> master, it is just unexpected so healthcheck is warning about it.
>>>
>>
>> The warning is for a cert that I created for a FreeRADIUS server (which
>> I never actually managed to get working).
>>
>> The warning is a bit annoying because the cert is alright, I think. It is
>> listed with "status: MONITORING".
>> So, I think that the cert is not unknown to certmonger, despite what the
>> error suggests.
>>
>> I am considering to create another cert for some other service, in the same
>> manner as I did for freeRADIUS. That new cert would then also be flagged with
>> a warning.
>>
>
> This particular check isn't verifying whether the cert is ok. It is
> checking that the tracking for the standard IPA certs is done correctly.
>
> If there are additional certs it has no way to know to validate them so
> warns instead. We discourage running additional software on an IPA
> master. Using a master to manage a cert is probably fine but is a grey
> area. I chose to warn as a heads-up, to keep a paranoid stance of
> warning on anything unexpected.
Ah, I see. So, I better not do that then.
>
> I have an idea to create an ignore list but it probably won't see the
> light of day for a while.
>
> This is good feedback, thanks.
Likewise.
What I'll do in the short term is add a much longer message that
includes some of what I said here. There is no need to me to be so terse
for some of these messages :-(
rob