It is trying to read three certs from the CA just to validate that
things are working. Some exception is being thrown during the POST. The
pki and/or httpd logs might contain more info.
rob
Rob Verduijn wrote:
Hi,
I don't see anything strange in the output but thats probably my ignorance.
With your extended command the output is now free of certs so I'm
attaching it.
Rob
Op wo 18 jan. 2023 om 15:22 schreef Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>>:
Rob Verduijn wrote:
> Hello,
>
> I ran healthcheck with the debug option.There was a huge amount of
> output which stopped after the healtherror I mentioned before.
>
> Sadly the amount also contained all certificates so I cannot post
it here.
> The debug output is quite overwhelming.
> Could you give some pointers at to what I should be looking for ?
You can narrow the output by adding the cli options --source
pki.server.healthcheck.clones.connectivity_and_data --check
ClonesConnectivyAndDataCheck
The error reported by the plugin is an internal error so you're looking
for back traces or other suppressed output.
rob
>
> Rob
>
>
> Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>:
>
> Rob Verduijn via FreeIPA-users wrote:
> > I do have migration in mind, and I already have seen that doc.
> >
> > I double checked the roles, and the only two roles that are
> enabled are
> > CA-server and DNS-server.
> > They are present on both systems.
> >
> > However currently I'm 'just' adding an el9 replica and the
old el8
> > master can't seem to reach the ca accourding to the healthcheck.
> >
> > And I don't want to start migrating before the current
situation has a
> > good alth status for all the replicas/masters.
>
> Can you re-run it with --debug? Some older versions of
healthcheck had a
> bug in the debug switch where it got turned off while
importing external
> checks so if you don't get much, you've hit that.
>
> rob
>
> >
> >
> > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García
> > <ftrivino(a)redhat.com <mailto:ftrivino@redhat.com>
<mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>
> <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>
<mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>>>:
> >
> >
> > On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote:
> >> Hello all,
> >>
> >> I wanted to migrate my old el8 freeipa server to el9.
> >>
> >> So I installed a new system with el9 and configured a
replica
> on it.
> >>
> >> After this was completed I ran ipa-healthcheck on the
new el9
> >> replica and all was well.
> >>
> >> However after this I ran ipa-healthcheck on the old el8 ipa
> server
> >> and I got the following error.
> >> ipa-healthcheck
> >> Internal server error 'Link'
> >> [
> >> {
> >> "source":
> "pki.server.healthcheck.clones.connectivity_and_data",
> >> "check":
"ClonesConnectivyAndDataCheck",
> >> "result": "ERROR",
> >> "uuid":
"5aea196e-1693-4c14-93c5-649286c8ef7f",
> >> "when": "20230117082651Z",
> >> "duration": "0.402024",
> >> "kw": {
> >> "status": "ERROR: pki-tomcat : Internal
error
testing CA
> >> clone. Host: freeipa01.tjako.thuis Port: 443"
> >> }
> >> }
> >> ]
> >>
> >> I double checked the firewall and all ports were open
on the el9
> >> server
> >> firewall-cmd --list-all
> >> public (active)
> >> target: default
> >> icmp-block-inversion: no
> >> interfaces: br0 enp1s0
> >> sources:
> >> services: cockpit dhcpv6-client dns freeipa-ldap
freeipa-ldaps
> >> http https ntp ssh
> >> ports:
> >> protocols:
> >> forward: yes
> >> masquerade: no
> >> forward-ports:
> >> source-ports:
> >> icmp-blocks:
> >> rich rules:
> >>
> >> On the el9 server ipa-healthcheck yields no errors and
ipactl
> >> status shows everything is
> >> running.
> >>
> >> Anybody know why the old el8 server fails the
ipa-healthcheck ?
> >
> > Assuming that the new server (as a replica of the el8
server) was
> > installed including all the server roles present on el8,
I guess
> > there are more steps to be completed, here you can find
the full
> > migration guide:
> >
> >
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9
> >
> > is freeipa01.tjako.thuis the new server?
> >
> >
> >>
> >> Rob
> >>
> >>
> >> _______________________________________________
> >> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>>
> >> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> >> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
>