All three of my IPA servers have this health check failing:
[root@ipa3 ~]# ipa-healthcheck --source pki.server.healthcheck.clones.connectivity_and_data --check ClonesConnectivyAndDataCheck --output-type=human Internal server error 'Link' ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck
[root@ipa5 ~]# ipa-healthcheck --source=pki.server.healthcheck.clones.connectivity_and_data --check=ClonesConnectivyAndDataCheck --output-type=human Internal server error 'Link' Unable to reach KRA at https://ipa5.ipa.robots.org.uk:443: Request timed out ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck
[root@ipa6 ~]# ipa-healthcheck --source=pki.server.healthcheck.clones.connectivity_and_data --check=ClonesConnectivyAndDataCheck --output-type=human Unable to reach KRA at https://ipa6.ipa.robots.org.uk:443: Request timed out ERROR: pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck [root@ipa6 ~]# java.io.FileNotFoundException: /tmp/tmpc4h9ypzo/password.txt (No such file or directory) at java.base/java.io.FileInputStream.open0(Native Method) at java.base/java.io.FileInputStream.open(FileInputStream.java:216) at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157) at java.base/java.io.FileInputStream.<init>(FileInputStream.java:111) at java.base/java.io.FileReader.<init>(FileReader.java:60) at com.netscape.cmstools.cli.MainCLI.loadPassword(MainCLI.java:241) at com.netscape.cmstools.cli.MainCLI.parseOptions(MainCLI.java:416) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:647) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)
The problem is the timeout mechanism implemented in ipahealthcheck.core.core:run_plugin; it turns out that 10 seconds is not sufficient in my case.
Plugin <pki.server.healthcheck.clones.connectivity_and_data.ClonesConnectivyAndDataCheck object at 0x7fe02c4992b0> elapsed time: 0:00:16.857277 sec
I've bumped the timeout to 30 seconds in /etc/ipahealthcheck/ipahealthcheck.conf and all is well.
I wonder if others are running into this problem as well? If so it may be worth making this change by default in ipa-healtcheck. Or maybe my IPA servers are slower than everyone else's... :)