Morning Rob
What's the process for either removing or making it known?
I'll add something to the program about this too but for now you can run:
# getcert list -i 20170919231606
That will tell us what it is. It is perfectly fine to have certmonger track other certs on the system. I display unexpected once as a just-in-case.
It's supposed to display as just a warning. I'll fix that too since it is a little alarming.
This is the result I got on my end.:
Failures:
Unable to find request for serial 268304424 Unable to find request for serial 268304426 Unable to find request for serial 268304425 Unable to find request for serial 268304423 Subject O=ENG.EXAMPLE.COM,CN=zinc.eng.example.com and template subject CN=lithium.eng.example.com,O=ENG.EXAMPLE.COM do not match for serial 77 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/key3.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/cert8.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/secmod.db are 0600 and should be 0640 Warnings: Unknown certmonger ids: 20170812234301 [root@lithium bin]#
The system so far seem healthy. Did these file permission had a stricter access that was relaxed later? I have never attempted to change them, at least impicitly
Regards, William
William Muriithi via FreeIPA-users wrote:
Morning Rob
What's the process for either removing or making it known?
I'll add something to the program about this too but for now you can run:
# getcert list -i 20170919231606
That will tell us what it is. It is perfectly fine to have certmonger track other certs on the system. I display unexpected once as a just-in-case.
It's supposed to display as just a warning. I'll fix that too since it is a little alarming.
This is the result I got on my end.:
Failures:
Unable to find request for serial 268304424 Unable to find request for serial 268304426 Unable to find request for serial 268304425 Unable to find request for serial 268304423
I'm not sure if this is an invalid test or a real error. I'm still waiting on the dogtag team to respond to https://bugzilla.redhat.com/show_bug.cgi?id=1641804 (your results are slightly different but of the same theme).
Subject O=ENG.EXAMPLE.COM,CN=zinc.eng.example.com and template subject CN=lithium.eng.example.com,O=ENG.EXAMPLE.COM do not match for serial 77
Same as above.
I don't know yet if this is a harbinger of doom or a red herring :-/
Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/key3.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/cert8.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/secmod.db are 0600 and should be 0640
Yeah, this is probably fine. I may need to tweak the test to not look for specific permissions but rather check what is required and that it isn't too permissive.
Warnings: Unknown certmonger ids: 20170812234301
This one is fine. I may make a note to add more details to this. It is basically just a heads-up in case you have something tracked you forgot about.
[root@lithium bin]#
The system so far seem healthy. Did these file permission had a stricter access that was relaxed later? I have never attempted to change them, at least impicitly
It may be related to different versions of IPA or something. This test is intended to ensure the ownership and permissions aren't wildly either too permissive or too restrictive. It apparently still needs some work.
rob
On Wed, Nov 07, 2018 at 01:04:05PM -0500, Rob Crittenden via FreeIPA-users wrote:
William Muriithi via FreeIPA-users wrote:
Morning Rob
What's the process for either removing or making it known?
I'll add something to the program about this too but for now you can run:
# getcert list -i 20170919231606
That will tell us what it is. It is perfectly fine to have certmonger track other certs on the system. I display unexpected once as a just-in-case.
It's supposed to display as just a warning. I'll fix that too since it is a little alarming.
This is the result I got on my end.:
Failures:
Unable to find request for serial 268304424 Unable to find request for serial 268304426 Unable to find request for serial 268304425 Unable to find request for serial 268304423
I'm not sure if this is an invalid test or a real error. I'm still waiting on the dogtag team to respond to https://bugzilla.redhat.com/show_bug.cgi?id=1641804 (your results are slightly different but of the same theme).
Request IDs are not related to serial numbers of issued certificates. They just happen to coincide at the beginning. I responded to the BZ with more details.
Subject O=ENG.EXAMPLE.COM,CN=zinc.eng.example.com and template subject CN=lithium.eng.example.com,O=ENG.EXAMPLE.COM do not match for serial 77
Same as above.
I don't know yet if this is a harbinger of doom or a red herring :-/
Probably an incorrect assumption. Most likely not a harbinger of doom. Rob can you please follow up with details on how this check is conducted?
Cheers, Fraser
Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/key3.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/cert8.db are 0600 and should be 0640 Permissions of /etc/dirsrv/slapd-ENG-EXAMPLE-COM/secmod.db are 0600 and should be 0640
Yeah, this is probably fine. I may need to tweak the test to not look for specific permissions but rather check what is required and that it isn't too permissive.
Warnings: Unknown certmonger ids: 20170812234301
This one is fine. I may make a note to add more details to this. It is basically just a heads-up in case you have something tracked you forgot about.
[root@lithium bin]#
The system so far seem healthy. Did these file permission had a stricter access that was relaxed later? I have never attempted to change them, at least impicitly
It may be related to different versions of IPA or something. This test is intended to ensure the ownership and permissions aren't wildly either too permissive or too restrictive. It apparently still needs some work.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
Rob Crittenden -
William Muriithi