Ronald Wimmer via FreeIPA-users wrote:
Is it true that these "Errors" appear on an IPA server
without CA role
present and can be ignored?
CRITICAL:
pki.server.healthcheck.certs.expiration.CASystemCertExpiryCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.KRASystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.OCSPSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.TKSSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.expiration.TPSSystemCertExpiryCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.CASystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.KRASystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.OCSPSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.TKSSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.certs.trustflags.TPSSystemCertTrustFlagCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck
CRITICAL: pki.server.healthcheck.meta.csconfig.CADogtagCertsConfigCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.KRADogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.OCSPDogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.TKSDogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.csconfig.TPSDogtagCertsConfigCheck: Invalid
PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagCACertsConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagKRAConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagOCSPConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagTKSConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL:
pki.server.healthcheck.meta.connectivity.DogtagTPSConnectivityCheck:
Invalid PKI instance: pki-tomcat
CRITICAL: ipahealthcheck.ipa.roles.IPACRLManagerCheck: Unable to read
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg
There was an issue that pki.server checks though throw errors even if
the CA was unconfigured. I had to filter these out of healthcheck.
But the IPACRLManagerCheck should only run if a CA is configured so I'd
double check your roles. It seems to believe one is configured on this host.
As well as these for a disabled trust domain?
ERROR: ipahealthcheck.ipa.trust.IPATrustDomainsCheck.domain-list:
/usr/sbin/sssctl domain-list reports mismatch: sssd domains mydomain.at,
buero.mydomain.at, org.mydomain.at trust domains buero.mydomain.at,
mydomain.at, org.mydomain.at, tk.mydomain.at
ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.domain-status:
Execution of domain-status failed: CalledProcessError(Command
['/usr/sbin/sssctl', 'domain-status', 'tk.mydomain.at',
'--active-server'] returned non-zero exit status 1: 'Unable to get
online status\n')
Disabled how? healthcheck is running through the list of trust domains
that sssd is returning. So should sssd not be aware of this domain at all?
rob
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure