Hey folks,happyily using FreeIPA in my personal hobbyist space across 50vms and 8 hosts. It worked like a charm. Ever since a few days ago I am unable to delete hosts, disabling/ enabling users for example works, but not deleting hosts. I am using AlmaLinux 8 with vendor-supplied FreeIPA version.
I duckduckgo'd around the net, tried to solve the issue myself. But no errors our there helped me debug. I think I found the issue with ipa-healthcheck, but I am unsure on how to fix. This is the output:
---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ----Internal server error 403 Client Error: 403 for url: http://auth1.alpha-labs.net:80/ca/rest/securityDomain/domainInfo
Directory Server CA certificate not found, assuming 3rd partyra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403) ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403. (403)
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "c76c5f53-1869-4cd5-95e3-dd7f3e0b7e0c",
"when": "20220128091051Z",
"duration": "0.361963",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not match
the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
},
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "e98075a4-5d85-4ccf-a97e-b202fcc92789",
"when": "20220128091054Z",
"duration": "0.566005",
"kw": {
"msg": "Request for certificate failed, Certificate operation
cannot be completed: Request failed with status 403: Non-2xx response
from CA REST API: 403. (403)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "d9dcf871-1a5d-47a6-8d2e-bcf4f61f09d1",
"when": "20220128091056Z",
"duration": "0.788714",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 4 conflict entries found under the replication
suffix \"dc=alpha-labs,dc=net\"."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPADogtagCertsMatchCheck",
"result": "ERROR",
"uuid": "1c96ee54-e8ca-4045-9bfc-294c261e4ab8",
"when": "20220128091101Z",
"duration": "0.198242",
"kw": {
"key": "caSigningCert cert-pki-ca",
"nickname": "caSigningCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "{nickname} certificate in NSS DB {dbdir} does not match
entry in LDAP"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "17140733-ba3f-4d34-a48c-3b1e159b3488",
"when": "20220128091105Z",
"duration": "0.731259",
"kw": {
"key": "20201208073945",
"serial": 1073676292,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "9833fce2-5f98-480b-9a69-d2d41db21ef0",
"when": "20220128091105Z",
"duration": "0.888676",
"kw": {
"key": "20201208073937",
"serial": 1073676293,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c3f1b686-a74b-42d6-8b55-b6fe36671933",
"when": "20220128091105Z",
"duration": "1.065141",
"kw": {
"key": "20201208073940",
"serial": 1073676291,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "f6073d14-b9eb-466b-ab29-6151c857d387",
"when": "20220128091105Z",
"duration": "1.226933",
"kw": {
"key": "20201208073942",
"serial": 1073676290,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "a465aaca-67b8-419e-8a38-a16c227d5db1",
"when": "20220128091105Z",
"duration": "1.394251",
"kw": {
"key": "20201208073943",
"serial": 20,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "33de05f4-1e8b-4d26-94ec-e742f4b7b8dc",
"when": "20220128091106Z",
"duration": "1.569087",
"kw": {
"key": "20201208073944",
"serial": 268238852,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "d723658c-74ab-41a4-a3e0-5b643a70e15d",
"when": "20220128091106Z",
"duration": "1.676748",
"kw": {
"key": "20201208073949",
"serial": 1073676289,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "5d67c6e0-785e-456c-9ae3-b2199c5d2051",
"when": "20220128091106Z",
"duration": "1.855003",
"kw": {
"key": "20201208073947",
"serial": 268238849,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "9c0441dc-2f20-41b0-816e-7690fca47448",
"when": "20220128091106Z",
"duration": "1.945158",
"kw": {
"key": "20200406205351",
"serial": 268238851,
"error": "Certificate operation cannot be completed: Request
failed with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.dna",
"check": "IPADNARangeCheck",
"result": "WARNING",
"uuid": "480e0baf-8814-47d5-bb71-e8d780867107",
"when": "20220128091107Z",
"duration": "0.687667",
"kw": {
"range_start": 0,
"range_max": 0,
"next_start": 0,
"next_max": 0,
"msg": "No DNA range defined. If no masters define a range then
users and groups cannot be created."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "37d1c6ed-982c-4046-b6b3-4c47ef6ed249",
"when": "20220128091107Z",
"duration": "0.779401",
"kw": {
"msg": "Got {count} ipa-ca A records, expected {expected}",
"count": 2,
"expected": 3
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "ERROR",
"uuid": "a7a5039b-7e4d-4501-ac39-f6b1d2080107",
"when": "20220128091108Z",
"duration": "0.006982",
"kw": {
"key": "_etc_hosts_mode",
"path": "/etc/hosts",
"type": "mode",
"expected": "0644",
"got": "0444",
"msg": "Permissions of /etc/hosts are too restrictive: 0444 and
should be 0644"
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "WARNING",
"uuid": "71556f6a-b914-41a5-8f88-932b37edcf35",
"when": "20220128091108Z",
"duration": "0.007897",
"kw": {
"key": "_var_log_kadmind.log_mode",
"path": "/var/log/kadmind.log",
"type": "mode",
"expected": "0600",
"got": "0640",
"msg": "Permissions of /var/log/kadmind.log are too permissive:
0640 and should be 0600"
}
}
]
---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ---- ---- 8< ----
Any help is sooo greatly appreciated!
--
with kind regards,
mit freundlichen Gruessen,
Christian Reiss
OpenPGP_0x44E29126ABCD43C5.asc
Description: OpenPGP public key
BEGIN:VCARD VERSION:4.0 EMAIL;PREF=1:em...@christian-reiss.de FN:Christian Reiss N:Reiss;Christian;;; TEL;VALUE=TEXT:+4915122628306 UID:19c36e92-1c6f-44cc-a30e-450944af70e5 END:VCARD
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
