search

freeipa / freeipa-healthcheck

Check the health of a freeIPA installation
GNU General Public License v3.0
50 stars 28 forks source link

Some way to specify a list of OK certificates #194

Closed nogweii closed 2 years ago

nogweii commented 3 years ago

On my FreeIPA server (running 4.9.3 on a Fedora 33 VM), I'm using getcert to manage a certificate for Cockpit.

Output

Output from `ipa-healthcheck`: ``` [ { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "WARNING", "uuid": "ab6155c7-e0bf-4496-a2c8-d5b720dca4d3", "when": "20210426063935Z", "duration": "1.548222", "kw": { "key": "20210426060604", "msg": "certmonger tracking request {key} found and is not expected on an IPA master." } } ] ```
certmonger request information ``` Request ID '20210426060604': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/ipa.aether.local.key' certificate: type=FILE,location='/etc/pki/tls/certs/ipa.aether.local.pem' CA: IPA issuer: CN=Aethernet IPA Certificate Authority,O=AETHER.LOCAL subject: CN=ipa.aether.local,O=AETHER.LOCAL expires: 2023-04-27 06:06:07 UTC dns: ipa.aether.local principal name: HTTP/ipa.aether.local@AETHER.LOCAL key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/local/libexec/certmonger_cockpit_post_save.sh track: yes auto-renew: yes ```

(Oh, and here's a useful command to filter the healthcheck log file: jq -C '[.[] | select(.result != "SUCCESS")]' < /var/log/ipa/healthcheck/healthcheck.log 2>&1 | less -R)

Request

I'd like there to be some way to specify to the healthcheck that this additional request ID is expected for myself, and it should not raise a warning.

nogweii commented 3 years ago

Hm, the readme has this in the explanation of IPACertTracking:

An unknown certificate is being tracked by certmonger. This may be perfectly legitimate, it is provided for information only

But it still causes the tool to exit with a non-zero status code, and so systemd marks the service as having failed. If it's for my information only, I would not have expected it to cause a failure.

I want to add a script to my server that will send me a notification if ipa-healthcheck fails, but this current behavior blocks that.

rcritten commented 3 years ago

There is not currently a way to mark output as info-only (it could get lost in the output), or add tracked certificates to an ignore list.

It may make sense to extend the exit code to represent the highest level of error returned as well. 1 = WARNING, 2 = ERROR, etc.

rcritten commented 2 years ago

There is now both a way to ignore certain sources/checks/results (suppress) and only return based on severity so I'm going to mark this one as done.