Rob Crittenden
Rob Crittenden
When the subsystemCert certificate is invalid healthcheck will spew 10 or so messages like this on stderr: ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API: 403....
Saw in the wild a traceback due an unhandled authentication failure. { "source": "ipahealthcheck.ipa.dna", "check": "IPADNARangeCheck", "result": "CRITICAL", "uuid": "f28db15e-15a1-41ab-bb8b-f0003bef7c33", "when": "20240123200708Z", "duration": "0.239964", "kw": { "exception": "Insufficient access: Invalid...
nsslapd-idletimeout is used by 389 to determine when a client has gone idle. The default value is 3600. A value of 0 is unlimited. We saw a case where a...
We're still seeing cases where krbLastSuccessfulAuth is causing performance issues. I'll quote the upstream issue: https://pagure.io/freeipa/issue/5313 "Even if this attribute is skipped in fractional replication, all the changes are sent...
test_ipa_notinstalled and test_ipa_notconfigured are both failing with an import error. I think this is pytest-specific. The tests pass locally. I'm disabling the tests for now for future investigation. ____________________________ test_ipa_notinstalled...
In this thread [1] a user reported that they couldn't enable ACME using ipa-acme-manage because it failed with a 403 error. The normal troubleshooting steps turned up nothing. It was...
The initial CA is configured to run a task to update the certificate status field. Check that this is configured on at least one server. As documented at https://github.com/dogtagpki/pki/wiki/Configuring-Certificate-Status-Update-Task Issue...
IPA provides two include files where customization can be done without worry about being overwritten by upgrades. - /etc/named/ipa-options-ext.conf (for options) - /etc/named/ipa-ext.conf (all other settings) Warn about configuration settings...
cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1745138 When FreeIPA replica is installed a DNA range is not allocated to it. The range is only cut from the master's DNA range when a replica really...
ACME uses the ipa-ca.$DOMAIN name so there can be a fixed name in an installation for the service. If a user is providing their own certificate for Apache then it...