0.19

What's Changed

• Don't rely on order in trust agent/controller role check by @rcritten in #357
• Add /etc/pki/tls/certs/ directory to file checker by @rcritten in #359
• Switch to F41 and F42 for testing by @rcritten in #365
• Add a message to Trust checks if not a trust agent/controller by @rcritten in #367
• Report if an expiring certificate is externally signed by @rcritten in #366
• Check that allowed_uids in the SSSD config is valid by @rcritten in #363
• Check that the expected NSS token matches the current FIPS state by @rcritten in #364

Full Changelog: 0.18...0.19

0.18

What's Changed

• Allow WARNING in the files test by @rcritten in #331
• Check that IPA configuration has MS-PAC generation enabled by @abbra in #332
• IPAOpenSSLChainValidation: ignore default trust store by @flo-renaud in #341
• Catch exceptions raised when making a replication agmt by @rcritten in #339
• Compatibility fix for PyCA cryptography 42.0.0 by @rcritten in #346
• Replace fips-mode-setup by @duzda in #349
• Check user-provided certificates for expiration by @rcritten in #348
• Warn if krbLastSuccessfulAuth replication is enabled by @rcritten in #352
• Warn about unexpected umask by @duzda in #354

New Contributors

• @duzda made their first contribution in #349

Full Changelog: 0.17...0.18

0.17

What's Changed

• Don't fail if a service name cannot be looked up in LDAP by @rcritten in #313
• Address two issues uncovered in freeIPA CI by @rcritten in #314
• Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0 by @rcritten in #318
• test: Handle PKI >= 11.5.0 not storing certs in CS.cfg by @rcritten in #319
• Fixes log file permissions as per CIS benchmark by @tscherf in #326
• Handle CS.cfg file missing in DogtagCertsConfigCheck by @rcritten in #328
• Fix some file mode format issues by @rcritten in #330

Full Changelog: 0.16...0.17

0.16

What's Changed

• Remove call to api.Backend.ldap2.disconnect() by @rcritten in #311. This broke pki-healthcheck.

Full Changelog: 0.15...0.16

0.15

What's Changed

• Change the github runners to conform with new requirements by @rcritten in #304
• Add a dirsrv requires to services that look up their names in LDAP by @rcritten in #301
• Convert DBus objects into native python objects by @rcritten in #306
• Use timezone.utc instead of datetime.UTC for backwards compatibility by @rcritten in #303
• Validate service keytabs other than just /etc/krb5.keytab by @rcritten in #289
• Support validating LWCA certmonger requests by @rcritten in #308

Full Changelog: 0.14...0.15

0.14

Python 3.12: utcnow function is deprecated

0.13

What's Changed

• Add more services to check the status, switch to using roles by @rcritten in #271
• Require root to run ipa-healthcheck by @rcritten in #267
• If there are KRAs, ensure the renewal server is one by @rcritten in #290
• Report certmonger requests that are in the stuck state by @rcritten in #291
• Skip AD domains with posix ranges in the catalog check by @rcritten in #269
• Report when all ipa-ca records are missing in IPADNSSystemRecordsCheck by @rcritten in #287
• Restrict the length of JSON output indent to 32 by @rcritten in #288
• output: fix prometheus output pluging to comply with format spec by @UiP9AV6Y in #293
• Catch exceptions during user/group name lookup in FileCheck by @rcritten in #297
• gha: Replace F35/36 with F37/38 by @rcritten in #294
• Don't error in DogtagCertsConnectivityCheck with external CAs by @rcritten in #286

Full Changelog: 0.12...0.13

0.11

What's Changed

• man: Confusing typo about excludes by @stanislavlevin in #249
• Don't depend on IPA status when suppressing pki checks by @rcritten in #250
• gha: Drop Fedora 33 by @stanislavlevin in #252
• nss_checker: Make user/group names platform-dependent by @stanislavlevin in #248
• Pylint 2.12 by @stanislavlevin in #245
• Use the subject base from the IPA configuration, not REALM by @rcritten in #254
• Allow multiple file modes in the FileChecker by @rcritten in #255
• Fixes for configuration file support for cli options by @rcritten in #257
• Verify that the number of KDC workers matches the CPUs by @rcritten in #259
• Tests: Debug option should be respected in cfg file by @miskopo in #262
• Tests: User to be warned about incorrect delimiter by @miskopo in #263
• Read the IPA CA certificate to obtain the serial number by @rcritten in #261
• gha: Replace F34/35 with F35/36 by @rcritten in #264

New Contributors

• @miskopo made their first contribution in #262

Full Changelog: 0.10...0.11

0.10

What's Changed

• Handle files that don't exist in FileCheck by @rcritten in #214
• pylint: Fix new recommendations by @stanislavlevin in #216
• Allow for HIDDEN_SERVICE when checking ADTRUST service by @rcritten in #218
• Collect and report ACME enablement status by @rcritten in #174
• Fix some deprecation issues, add support for DNS URI records by @rcritten in #223
• Fix typo in README.md by @miztake in #229
• core: Relax dependency on IPA stuff by @stanislavlevin in #238
• add support for prometheus text metric exposition format output. by @UiP9AV6Y in #240
• Unify command-line options and configuration by @rcritten in #227
• Compare proxy shared secret configuration by @rcritten in #234
• Check expected group memberships by @rcritten in #235
• Add a timeout wrapper around each check execution by @rcritten in #239
• fixups for skipping the pki healthchecks by @rcritten in #243
• Add a way to exclude sources, checks and/or keys from results by @rcritten in #228
• Include an exception on outer-level failures when running plugins by @rcritten in #225

New Contributors

• @miztake made their first contribution in #229
• @UiP9AV6Y made their first contribution in #240

Full Changelog: 0.9...0.10

0.9

• Add service dependencies to more checks so they are skipped if dependent services are not running
• Filter out the pki healthcheck sources if IPA CA is not installed
• Don't collect the CRLManager role if the CA is not configured
• Drop or replace print statements which were polluting stdout/stderr with lines that should have been logged instead
• Add service log files to those tracked by the FileCheck for owner/group/perms/mode
• Check for mismatches in certificates between LDAP and the system
• Fix the --debug option which was being reset internally back to WARN
• Add check for KRA Agent to compare the certificate with LDAP, similar to RA Agent check
• For human output display a message when no issues are found instead of an empty list []
• Check for a host certificate to avoid a false positive tracking
• Add compatibility for python 3.10