Your company here — click to reach over 10,000 unique daily visitors

ipahealthcheck.conf - Man Page

ipa-healthcheck configuration file




The ipahealthcheck.conf configuration file is used to set the defaults when running ipa-healthcheck.


The configuration options are not case sensitive. The values may be case sensitive, depending on the option.

Blank lines are ignored. Lines beginning with # are comments and are ignored.

Valid lines consist of an option name, an equals sign and a value. Spaces surrounding equals sign are ignored. An option terminates at the end of a line.

Values should not be quoted, the quotes will not be stripped.

   # Wrong - don't include quotes
   verbose = "True"

   # Right - Properly formatted options
   verbose = True

Options must appear in the section named [default]. There are no other sections defined or used currently.

Options may be defined that are not used. Be careful of misspellings, they will not be rejected.


There may be reasons that a user will want to suppress some results. One example is a customer certificate that is generating a warning because it is unknown to IPA. Excluding a result key does not prevent it from running, it is filtered from the reported results. Excluding by source or check will prevent it from running at all. Services will not be excluded because other checks may rely on them (ipahealthcheck.meta.services).

Each excludes type may be listed multiple times. Invalid sources, checks and/or keys will not be flagged. These configuration options are only processed when found in the EXCLUDES section and are otherwise ignored.

Users are encouraged to annotate the reason for excluding the results so the reason is not lost.

Results can be suppressed or excluded in three ways:

· source, e.g. ipahealthcheck.ipa.certs

· check, e.g. IPADNSSystemRecordsCheck

· report key, e.g. 20210910141457 (certmonger tracking id)


The following options are relevant in each section.


The number of days left before a certificate expires to start displaying a warning. The default is 28.


The time allowed in seconds for each check to run before being considered an error. The default is 10.


Filter results based on the check source.


Filter results based on the check name.


Filter results based on the result key in the healthcheck output.

All command-line options may be included in the configuration file. Dashes must be converted to underscore for the configuration file, e.g. --output-type becomes output_type. All options, including those that don't make sense in a config file, like --list-sources, are allowed. Let the buyer beware.

The purpose of allowing command-line options to be in the configuration file is for automation without having to tweak the automation script. For example, if you want the default output type to be human for the systemd timer automated runs, settting output_type=human in the configuration file will do this. When loading configuration the first option wins, so if any option is in the configuration file then it cannot be overridden by the command-line unless a different configuration file is specified (see --config).

There may be conflicting exceptions. For example, if all=True is set in the configuration file, and the command-line contains --failures-only, then only failures will be displayed because of the way the option evaluation is done.

Options that don't make sense for the configuration file include --list-sources and --input-file.



configuration file


7 days left before a certificate expires to start displaying a warning:


Exclude all certificate checks:

Don't warn about a custom certificate being tracked by certmonger:


See Also



Apr 5 2019 FreeIPA Manual Pages