Hello,

I ran healthcheck with the debug option.There was a huge amount of output which stopped after the healtherror I mentioned before.

Sadly the amount also contained all certificates so I cannot post it here.
The debug output is quite overwhelming.
Could you give some pointers at to what I should be looking for ?

Rob


Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden <rcritten@redhat.com>:
Rob Verduijn via FreeIPA-users wrote:
> I do have migration in mind, and I already have seen that doc.
>
> I double checked the roles, and the only two roles that are enabled are
> CA-server and DNS-server.
> They are present on both systems.
>
> However currently I'm 'just' adding an el9 replica and the old el8
> master can't seem to reach the ca accourding to the healthcheck.
>
> And I don't want to start migrating before the current situation has a
> good alth status for all the replicas/masters.

Can you re-run it with --debug? Some older versions of healthcheck had a
bug in the debug switch where it got turned off while importing external
checks so if you don't get much, you've hit that.

rob

>
>
> Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García
> <ftrivino@redhat.com <mailto:ftrivino@redhat.com>>:
>
>
>     On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote:
>>     Hello all,
>>
>>     I wanted to migrate my old el8 freeipa server to el9.
>>
>>     So I installed a new system with el9 and configured a replica on it.
>>
>>     After this was completed I ran ipa-healthcheck on the new el9
>>     replica and all was well.
>>
>>     However after this I ran ipa-healthcheck on the old el8 ipa server
>>     and I got the following error.
>>     ipa-healthcheck  
>>     Internal server error 'Link'
>>     [
>>      {
>>        "source": "pki.server.healthcheck.clones.connectivity_and_data",
>>        "check": "ClonesConnectivyAndDataCheck",
>>        "result": "ERROR",
>>        "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f",
>>        "when": "20230117082651Z",
>>        "duration": "0.402024",
>>        "kw": {
>>          "status": "ERROR:  pki-tomcat : Internal error testing CA
>>     clone. Host: freeipa01.tjako.thuis Port: 443"
>>        }
>>      }
>>     ]
>>
>>     I double checked the firewall and all ports were open on the el9
>>     server
>>     firewall-cmd --list-all
>>     public (active)
>>      target: default
>>      icmp-block-inversion: no
>>      interfaces: br0 enp1s0
>>      sources:  
>>      services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps
>>     http https ntp ssh
>>      ports:  
>>      protocols:  
>>      forward: yes
>>      masquerade: no
>>      forward-ports:  
>>      source-ports:  
>>      icmp-blocks:  
>>      rich rules:
>>
>>     On the el9 server ipa-healthcheck yields no errors and ipactl
>>     status shows everything is
>>     running.
>>
>>     Anybody know why the old el8 server fails the ipa-healthcheck ?
>
>     Assuming that the new server (as a replica of the el8 server) was
>     installed including all the server roles present on el8, I guess
>     there are more steps to be completed, here you can find the full
>     migration guide:
>
>     https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9
>
>     is freeipa01.tjako.thuis the new server?
>
>
>>
>>     Rob
>>
>>
>>     _______________________________________________
>>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>
>>     To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
>>     Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>     List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>     List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>     Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>