Hi,

The pki/httpd logs on the el9 are almost empty during the healthcheck on the el8 system.
The pki/httpd logs on the el8 server complain quite a bit during the health check on the el8 system.

I've attached them (just the tail from the logs during the ipa-healthcheck running on the el8 system)

Rob

Op wo 18 jan. 2023 om 17:39 schreef Rob Crittenden <rcritten@redhat.com>:
It is trying to read three certs from the CA just to validate that
things are working. Some exception is being thrown during the POST. The
pki and/or httpd logs might contain more info.

rob

Rob Verduijn wrote:
> Hi,
>
> I don't see anything strange in the output but thats probably my ignorance.
> With your extended command the output is now free of certs so I'm
> attaching it.
>
> Rob
>
>
> Op wo 18 jan. 2023 om 15:22 schreef Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>>:
>
>     Rob Verduijn wrote:
>     > Hello,
>     >
>     > I ran healthcheck with the debug option.There was a huge amount of
>     > output which stopped after the healtherror I mentioned before.
>     >
>     > Sadly the amount also contained all certificates so I cannot post
>     it here.
>     > The debug output is quite overwhelming.
>     > Could you give some pointers at to what I should be looking for ?
>
>     You can narrow the output by adding the cli options --source
>     pki.server.healthcheck.clones.connectivity_and_data --check
>     ClonesConnectivyAndDataCheck
>
>     The error reported by the plugin is an internal error so you're looking
>     for back traces or other suppressed output.
>
>     rob
>
>     >
>     > Rob
>     >
>     >
>     > Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden
>     <rcritten@redhat.com <mailto:rcritten@redhat.com>
>     > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>:
>     >
>     >     Rob Verduijn via FreeIPA-users wrote:
>     >     > I do have migration in mind, and I already have seen that doc.
>     >     >
>     >     > I double checked the roles, and the only two roles that are
>     >     enabled are
>     >     > CA-server and DNS-server.
>     >     > They are present on both systems.
>     >     >
>     >     > However currently I'm 'just' adding an el9 replica and the
>     old el8
>     >     > master can't seem to reach the ca accourding to the healthcheck.
>     >     >
>     >     > And I don't want to start migrating before the current
>     situation has a
>     >     > good alth status for all the replicas/masters.
>     >
>     >     Can you re-run it with --debug? Some older versions of
>     healthcheck had a
>     >     bug in the debug switch where it got turned off while
>     importing external
>     >     checks so if you don't get much, you've hit that.
>     >
>     >     rob
>     >
>     >     >
>     >     >
>     >     > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García
>     >     > <ftrivino@redhat.com <mailto:ftrivino@redhat.com>
>     <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>
>     >     <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>
>     <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>>>:
>     >     >
>     >     >
>     >     >     On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote:
>     >     >>     Hello all,
>     >     >>
>     >     >>     I wanted to migrate my old el8 freeipa server to el9.
>     >     >>
>     >     >>     So I installed a new system with el9 and configured a
>     replica
>     >     on it.
>     >     >>
>     >     >>     After this was completed I ran ipa-healthcheck on the
>     new el9
>     >     >>     replica and all was well.
>     >     >>
>     >     >>     However after this I ran ipa-healthcheck on the old el8 ipa
>     >     server
>     >     >>     and I got the following error.
>     >     >>     ipa-healthcheck  
>     >     >>     Internal server error 'Link'
>     >     >>     [
>     >     >>      {
>     >     >>        "source":
>     >     "pki.server.healthcheck.clones.connectivity_and_data",
>     >     >>        "check": "ClonesConnectivyAndDataCheck",
>     >     >>        "result": "ERROR",
>     >     >>        "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f",
>     >     >>        "when": "20230117082651Z",
>     >     >>        "duration": "0.402024",
>     >     >>        "kw": {
>     >     >>          "status": "ERROR:  pki-tomcat : Internal error
>     testing CA
>     >     >>     clone. Host: freeipa01.tjako.thuis Port: 443"
>     >     >>        }
>     >     >>      }
>     >     >>     ]
>     >     >>
>     >     >>     I double checked the firewall and all ports were open
>     on the el9
>     >     >>     server
>     >     >>     firewall-cmd --list-all
>     >     >>     public (active)
>     >     >>      target: default
>     >     >>      icmp-block-inversion: no
>     >     >>      interfaces: br0 enp1s0
>     >     >>      sources:  
>     >     >>      services: cockpit dhcpv6-client dns freeipa-ldap
>     freeipa-ldaps
>     >     >>     http https ntp ssh
>     >     >>      ports:  
>     >     >>      protocols:  
>     >     >>      forward: yes
>     >     >>      masquerade: no
>     >     >>      forward-ports:  
>     >     >>      source-ports:  
>     >     >>      icmp-blocks:  
>     >     >>      rich rules:
>     >     >>
>     >     >>     On the el9 server ipa-healthcheck yields no errors and
>     ipactl
>     >     >>     status shows everything is
>     >     >>     running.
>     >     >>
>     >     >>     Anybody know why the old el8 server fails the
>     ipa-healthcheck ?
>     >     >
>     >     >     Assuming that the new server (as a replica of the el8
>     server) was
>     >     >     installed including all the server roles present on el8,
>     I guess
>     >     >     there are more steps to be completed, here you can find
>     the full
>     >     >     migration guide:
>     >     >
>     >     >   
>     >   
>       https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9
>     >     >
>     >     >     is freeipa01.tjako.thuis the new server?
>     >     >
>     >     >
>     >     >>
>     >     >>     Rob
>     >     >>
>     >     >>
>     >     >>     _______________________________________________
>     >     >>     FreeIPA-users mailing list --
>     >     freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>>
>     >     >>     To unsubscribe send an email to
>     >     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
>     >     >>     Fedora Code of Conduct:
>     >     https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>     >     >>     List Guidelines:
>     >     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     >     >>     List Archives:
>     >   
>      https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     >     >>     Do not reply to spam, report it:
>     >     https://pagure.io/fedora-infrastructure/new_issue
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > FreeIPA-users mailing list --
>     freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >     > To unsubscribe send an email to
>     >     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>     >     > Fedora Code of Conduct:
>     >     https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>     >     > List Guidelines:
>     >     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     >     > List Archives:
>     >   
>      https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     >     > Do not reply to spam, report it:
>     >     https://pagure.io/fedora-infrastructure/new_issue
>     >     >
>     >
>