Hi,

I don't see anything strange in the output but thats probably my ignorance.
With your extended command the output is now free of certs so I'm attaching it.

Rob


Op wo 18 jan. 2023 om 15:22 schreef Rob Crittenden <rcritten@redhat.com>:
Rob Verduijn wrote:
> Hello,
>
> I ran healthcheck with the debug option.There was a huge amount of
> output which stopped after the healtherror I mentioned before.
>
> Sadly the amount also contained all certificates so I cannot post it here.
> The debug output is quite overwhelming.
> Could you give some pointers at to what I should be looking for ?

You can narrow the output by adding the cli options --source
pki.server.healthcheck.clones.connectivity_and_data --check
ClonesConnectivyAndDataCheck

The error reported by the plugin is an internal error so you're looking
for back traces or other suppressed output.

rob

>
> Rob
>
>
> Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>>:
>
>     Rob Verduijn via FreeIPA-users wrote:
>     > I do have migration in mind, and I already have seen that doc.
>     >
>     > I double checked the roles, and the only two roles that are
>     enabled are
>     > CA-server and DNS-server.
>     > They are present on both systems.
>     >
>     > However currently I'm 'just' adding an el9 replica and the old el8
>     > master can't seem to reach the ca accourding to the healthcheck.
>     >
>     > And I don't want to start migrating before the current situation has a
>     > good alth status for all the replicas/masters.
>
>     Can you re-run it with --debug? Some older versions of healthcheck had a
>     bug in the debug switch where it got turned off while importing external
>     checks so if you don't get much, you've hit that.
>
>     rob
>
>     >
>     >
>     > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García
>     > <ftrivino@redhat.com <mailto:ftrivino@redhat.com>
>     <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>>:
>     >
>     >
>     >     On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote:
>     >>     Hello all,
>     >>
>     >>     I wanted to migrate my old el8 freeipa server to el9.
>     >>
>     >>     So I installed a new system with el9 and configured a replica
>     on it.
>     >>
>     >>     After this was completed I ran ipa-healthcheck on the new el9
>     >>     replica and all was well.
>     >>
>     >>     However after this I ran ipa-healthcheck on the old el8 ipa
>     server
>     >>     and I got the following error.
>     >>     ipa-healthcheck  
>     >>     Internal server error 'Link'
>     >>     [
>     >>      {
>     >>        "source":
>     "pki.server.healthcheck.clones.connectivity_and_data",
>     >>        "check": "ClonesConnectivyAndDataCheck",
>     >>        "result": "ERROR",
>     >>        "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f",
>     >>        "when": "20230117082651Z",
>     >>        "duration": "0.402024",
>     >>        "kw": {
>     >>          "status": "ERROR:  pki-tomcat : Internal error testing CA
>     >>     clone. Host: freeipa01.tjako.thuis Port: 443"
>     >>        }
>     >>      }
>     >>     ]
>     >>
>     >>     I double checked the firewall and all ports were open on the el9
>     >>     server
>     >>     firewall-cmd --list-all
>     >>     public (active)
>     >>      target: default
>     >>      icmp-block-inversion: no
>     >>      interfaces: br0 enp1s0
>     >>      sources:  
>     >>      services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps
>     >>     http https ntp ssh
>     >>      ports:  
>     >>      protocols:  
>     >>      forward: yes
>     >>      masquerade: no
>     >>      forward-ports:  
>     >>      source-ports:  
>     >>      icmp-blocks:  
>     >>      rich rules:
>     >>
>     >>     On the el9 server ipa-healthcheck yields no errors and ipactl
>     >>     status shows everything is
>     >>     running.
>     >>
>     >>     Anybody know why the old el8 server fails the ipa-healthcheck ?
>     >
>     >     Assuming that the new server (as a replica of the el8 server) was
>     >     installed including all the server roles present on el8, I guess
>     >     there are more steps to be completed, here you can find the full
>     >     migration guide:
>     >
>     >   
>      https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9
>     >
>     >     is freeipa01.tjako.thuis the new server?
>     >
>     >
>     >>
>     >>     Rob
>     >>
>     >>
>     >>     _______________________________________________
>     >>     FreeIPA-users mailing list --
>     freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >>     To unsubscribe send an email to
>     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>     >>     Fedora Code of Conduct:
>     https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>     >>     List Guidelines:
>     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     >>     List Archives:
>     https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     >>     Do not reply to spam, report it:
>     https://pagure.io/fedora-infrastructure/new_issue
>     >
>     >
>     > _______________________________________________
>     > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     > To unsubscribe send an email to
>     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     > Fedora Code of Conduct:
>     https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>     > List Guidelines:
>     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     > List Archives:
>     https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     > Do not reply to spam, report it:
>     https://pagure.io/fedora-infrastructure/new_issue
>     >
>