I do have migration in mind, and I already have seen that doc.
I double checked the roles, and the only two roles that are enabled are CA-server and DNS-server. They are present on both systems.
However currently I'm 'just' adding an el9 replica and the old el8 master can't seem to reach the ca accourding to the healthcheck.
And I don't want to start migrating before the current situation has a good alth status for all the replicas/masters.
Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García < ftrivino@redhat.com>:
On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote:
Hello all,
I wanted to migrate my old el8 freeipa server to el9.
So I installed a new system with el9 and configured a replica on it.
After this was completed I ran ipa-healthcheck on the new el9 replica and all was well.
However after this I ran ipa-healthcheck on the old el8 ipa server and I got the following error. ipa-healthcheck Internal server error 'Link' [ { "source": "pki.server.healthcheck.clones.connectivity_and_data", "check": "ClonesConnectivyAndDataCheck", "result": "ERROR", "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f", "when": "20230117082651Z", "duration": "0.402024", "kw": { "status": "ERROR: pki-tomcat : Internal error testing CA clone. Host: freeipa01.tjako.thuis Port: 443" } } ]
I double checked the firewall and all ports were open on the el9 server firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: br0 enp1s0 sources: services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps http https ntp ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
On the el9 server ipa-healthcheck yields no errors and ipactl status shows everything is running.
Anybody know why the old el8 server fails the ipa-healthcheck ?
Assuming that the new server (as a replica of the el8 server) was installed including all the server roles present on el8, I guess there are more steps to be completed, here you can find the full migration guide:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
is freeipa01.tjako.thuis the new server?
Rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue