search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
358 stars 134 forks source link

pki-healthcheck generates errors when dogtag is not deployed #3316

Open pki-bot opened 3 years ago

pki-bot commented 3 years ago

This issue was migrated from Pagure Issue #3199. Originally filed by rcritten (@rcritten) on 2020-08-03 15:59:52:

IPA can be installed in a CA-less configuration with the user providing the certificates required for operation. Running ipa-healthcheck with this will generate quite a few pki-healthcheck errors because it is not configured:

  {
    "source": "pki.server.healthcheck.certs.expiration",
    "check": "CASystemCertExpiryCheck",
    "result": "CRITICAL",
    "uuid": "89bbc048-bfce-4ba7-af30-024caea33285",
    "when": "20200803195641Z",
    "duration": "0.000106",
    "kw": {
      "msg": "Invalid PKI instance: pki-tomcat"
    }

The checks should be skipped if a PKI subsystem is not deployed.

pki-bot commented 3 years ago

Comment from rcritten (@rcritten) at 2020-08-03 16:01:18

pki-server-10.9.0-0.4.fc31.noarch

SilleBille commented 3 years ago

This should be a straight forward fix. But, the PKI team has to decide if we need to report an ERROR, CRITICAL or WARNING when an instance isn't available.

There are 2 scenarios:

  1. Instances exists in the system but the provided instance is invalid <-- This case we need to throw an ERROR/CRITICAL
  2. Instances DO NOT exists. Example, CA less IPA server. <--- This case we need to throw a WARNING

Code reference: Expiration check.

NOTE: If the decision is made to change the severity, ALL other tests must be modified to maintain uniformity. My $0.02 😄