William Muriithi via FreeIPA-users wrote:
Morning Rob
What's the process for either removing or making it known?
I'll add something to the program about this too but for now you can run:
# getcert list -i 20170919231606
That will tell us what it is. It is perfectly fine to have certmonger track other certs on the system. I display unexpected once as a just-in-case.
It's supposed to display as just a warning. I'll fix that too since it is a little alarming.
This is the result I got on my end.:
Failures:
Unable to find request for serial 268304424 Unable to find request for serial 268304426 Unable to find request for serial 268304425 Unable to find request for serial 268304423
I'm not sure if this is an invalid test or a real error. I'm still waiting on the dogtag team to respond to https://bugzilla.redhat.com/show_bug.cgi?id=1641804 (your results are slightly different but of the same theme).
Subject O=ENG.EXAMPLE.COM,CN=zinc.eng.example.com and template subject CN=lithium.eng.example.com,O=ENG.EXAMPLE.COM do not match for serial 77
Same as above.
I don't know yet if this is a harbinger of doom or a red herring :-/
Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/key3.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/cert8.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/secmod.db are 0600 and should be 0640
Yeah, this is probably fine. I may need to tweak the test to not look for specific permissions but rather check what is required and that it isn't too permissive.
Warnings: Unknown certmonger ids: 20170812234301
This one is fine. I may make a note to add more details to this. It is basically just a heads-up in case you have something tracked you forgot about.
[root@lithium bin]#
The system so far seem healthy. Did these file permission had a stricter access that was relaxed later? I have never attempted to change them, at least impicitly
It may be related to different versions of IPA or something. This test is intended to ensure the ownership and permissions aren't wildly either too permissive or too restrictive. It apparently still needs some work.
rob