-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support verifying LWCA (SubCA) certmonger requests #307
Comments
The failure looks like:
|
IPA does not generate a tracking request for subCA's after creation. One needs to run ipa-server-upgrade to add them. |
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Oct 27, 2023
The LWCA ids are UUID4 format and are stored in LDAP so we can retrieve the list (ignoring the ipa entry) and construct what the request should look like. Fixes: freeipa#307 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Oct 27, 2023
This was causing a cache miss in the LDAPCache class. The '*' + all default attributes was confusing the cache. We in fact do not need all attributes so this is fine. This increases the cache hits in cert.py from 7 to 24, reducing the number of duplicate LDAP searches. Related: freeipa#307 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Nov 2, 2023
The LWCA ids are UUID4 format and are stored in LDAP so we can retrieve the list (ignoring the ipa entry) and construct what the request should look like. Add a cache for the get_expected_requests() function. The certificates aren't going to change (or shouldn't) in the middle of a run and there is no point in duplicating several LDAP requests for each call. Fixes: freeipa#307 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Nov 2, 2023
This was causing a cache miss in the LDAPCache class. The '*' + all default attributes was confusing the cache. We in fact do not need all attributes so this is fine. This increases the cache hits in cert.py from 7 to 24, reducing the number of duplicate LDAP searches. Related: freeipa#307 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Nov 6, 2023
The LWCA ids are UUID4 format and are stored in LDAP so we can retrieve the list (ignoring the ipa entry) and construct what the request should look like. Add a cache for the get_expected_requests() function. The certificates aren't going to change (or shouldn't) in the middle of a run and there is no point in duplicating several LDAP requests for each call. Fixes: freeipa#307 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Nov 6, 2023
This was causing a cache miss in the LDAPCache class. The '*' + all default attributes was confusing the cache. We in fact do not need all attributes so this is fine. This increases the cache hits in cert.py from 7 to 24, reducing the number of duplicate LDAP searches. Related: freeipa#307 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
that referenced
this issue
Nov 7, 2023
The LWCA ids are UUID4 format and are stored in LDAP so we can retrieve the list (ignoring the ipa entry) and construct what the request should look like. Add a cache for the get_expected_requests() function. The certificates aren't going to change (or shouldn't) in the middle of a run and there is no point in duplicating several LDAP requests for each call. Fixes: #307 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
that referenced
this issue
Nov 7, 2023
This was causing a cache miss in the LDAPCache class. The '*' + all default attributes was confusing the cache. We in fact do not need all attributes so this is fine. This increases the cache hits in cert.py from 7 to 24, reducing the number of duplicate LDAP searches. Related: #307 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
healthcheck doesn't currently expect to see tracked LWCA certificates. These typically have the form of:
They are currently reported as a warning about an unknown tracked certificate.
We can fetch the CA UUID's from LDAP and build a template request for them so they no longer warn.
The text was updated successfully, but these errors were encountered: