Rob Verduijn via FreeIPA-users wrote:
I do have migration in mind, and I already have seen that doc.
I double checked the roles, and the only two roles that are enabled are
CA-server and DNS-server.
They are present on both systems.
However currently I'm 'just' adding an el9 replica and the old el8
master can't seem to reach the ca accourding to the healthcheck.
And I don't want to start migrating before the current situation has a
good alth status for all the replicas/masters.
Can you re-run it with --debug? Some older versions of healthcheck had a
bug in the debug switch where it got turned off while importing external
checks so if you don't get much, you've hit that.
rob
Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García
<ftrivino(a)redhat.com <mailto:ftrivino@redhat.com>>:
On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote:
> Hello all,
>
> I wanted to migrate my old el8 freeipa server to el9.
>
> So I installed a new system with el9 and configured a replica on it.
>
> After this was completed I ran ipa-healthcheck on the new el9
> replica and all was well.
>
> However after this I ran ipa-healthcheck on the old el8 ipa server
> and I got the following error.
> ipa-healthcheck
> Internal server error 'Link'
> [
> {
> "source":
"pki.server.healthcheck.clones.connectivity_and_data",
> "check": "ClonesConnectivyAndDataCheck",
> "result": "ERROR",
> "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f",
> "when": "20230117082651Z",
> "duration": "0.402024",
> "kw": {
> "status": "ERROR: pki-tomcat : Internal error testing CA
> clone. Host: freeipa01.tjako.thuis Port: 443"
> }
> }
> ]
>
> I double checked the firewall and all ports were open on the el9
> server
> firewall-cmd --list-all
> public (active)
> target: default
> icmp-block-inversion: no
> interfaces: br0 enp1s0
> sources:
> services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps
> http https ntp ssh
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> On the el9 server ipa-healthcheck yields no errors and ipactl
> status shows everything is
> running.
>
> Anybody know why the old el8 server fails the ipa-healthcheck ?
Assuming that the new server (as a replica of the el8 server) was
installed including all the server roles present on el8, I guess
there are more steps to be completed, here you can find the full
migration guide:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
is freeipa01.tjako.thuis the new server?
>
> Rob
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue