Corey Devenport via FreeIPA-users wrote:
You'd want to keep the most recently issued. This is likely the highest
serial number.
I removed the description with the lower serial number, this doesn't seem to have
changed anything. On one of the replicas I was able to get all of the certs to have the
status MONITORING by retracking the subsystem certs before the caSigningCert, but even
then I can't do any cert operations, and I get the same errors within the ca log about
ipa ra and not being able to authenticate.
And nothing else? It should at least report the failures as well as
other information.
rob
Here's the full output from ipa-healthcheck --failures-only
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "e50d483d-4df3-4b73-b8b7-e16965e37498",
"when": "20201112174907Z",
"duration": "0.041723",
"kw": {
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "5da33d67-49ee-4da1-93c2-4ef708706a92",
"when": "20201112174909Z",
"duration": "0.293753",
"kw": {
"key": "20200903174544",
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "e2410971-50d1-4f46-a97a-689a8c724f19",
"when": "20201112174909Z",
"duration": "0.457327",
"kw": {
"key": "20200903174539",
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "28c5f45f-cb92-4ed8-b772-3b2ea318ddfd",
"when": "20201112174909Z",
"duration": "0.606343",
"kw": {
"key": "20200903174540",
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "b2439d4d-d3a6-43bc-8f01-aaf82a550ca2",
"when": "20201112174909Z",
"duration": "0.758415",
"kw": {
"key": "20200903174541",
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "1db6d06e-2055-4bb2-a06b-d01090acb79e",
"when": "20201112174910Z",
"duration": "0.949354",
"kw": {
"key": "20200903174542",
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "d463cae9-a700-4f97-b337-b8c4f6bffadf",
"when": "20201112174910Z",
"duration": "1.142487",
"kw": {
"key": "20200903174543",
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "af75c420-ca9e-4fb4-8726-14b1c0e5ece4",
"when": "20201112174910Z",
"duration": "1.228820",
"kw": {
"key": "20200903174546",
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "d4b8fd36-dcad-42a8-8449-fe3d8cf4d684",
"when": "20201112174910Z",
"duration": "1.382383",
"kw": {
"key": "20200903174545",
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "34a18c02-2804-4bbe-aacd-9f4c3d4d06c0",
"when": "20201112174910Z",
"duration": "1.491313",
"kw": {
"key": "20200205195905",
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Unable to communicate with CMS (403)"
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "4984a75e-1473-4c22-baa8-30c79be696ec",
"when": "20201112174911Z",
"duration": "0.112628",
"kw": {
"msg": "Expected SRV record missing",
"key":
"_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs....:athena..."
}
},
There's a bunch more of those warnings regarding SRV records missing, but I don't
think that has to deal with our problem, I could be wrong though.