Op wo 18 jan. 2023 om 15:22 schreef Rob Crittenden <rcritten@redhat.com>:

Rob Verduijn wrote:
> Hello,
>
> I ran healthcheck with the debug option.There was a huge amount of
> output which stopped after the healtherror I mentioned before.
>
> Sadly the amount also contained all certificates so I cannot post it here.
> The debug output is quite overwhelming.
> Could you give some pointers at to what I should be looking for ?

You can narrow the output by adding the cli options --source
pki.server.healthcheck.clones.connectivity_and_data --check
ClonesConnectivyAndDataCheck

The error reported by the plugin is an internal error so you're looking
for back traces or other suppressed output.

rob

>
> Rob
>
>
> Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>>:
>
> Rob Verduijn via FreeIPA-users wrote:
> > I do have migration in mind, and I already have seen that doc.
> >
> > I double checked the roles, and the only two roles that are
> enabled are
> > CA-server and DNS-server.
> > They are present on both systems.
> >
> > However currently I'm 'just' adding an el9 replica and the old el8
> > master can't seem to reach the ca accourding to the healthcheck.
> >
> > And I don't want to start migrating before the current situation has a
> > good alth status for all the replicas/masters.
>
> Can you re-run it with --debug? Some older versions of healthcheck had a
> bug in the debug switch where it got turned off while importing external
> checks so if you don't get much, you've hit that.
>
> rob
>
> >
> >
> > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García
> > <ftrivino@redhat.com <mailto:ftrivino@redhat.com>
> <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>>:
> >
> >
> > On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote:
> >> Hello all,
> >>
> >> I wanted to migrate my old el8 freeipa server to el9.
> >>
> >> So I installed a new system with el9 and configured a replica
> on it.
> >>
> >> After this was completed I ran ipa-healthcheck on the new el9
> >> replica and all was well.
> >>
> >> However after this I ran ipa-healthcheck on the old el8 ipa
> server
> >> and I got the following error.
> >> ipa-healthcheck
> >> Internal server error 'Link'
> >> [
> >>   {
> >>     "source":
> "pki.server.healthcheck.clones.connectivity_and_data",
> >>     "check": "ClonesConnectivyAndDataCheck",
> >>     "result": "ERROR",
> >>     "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f",
> >>     "when": "20230117082651Z",
> >>     "duration": "0.402024",
> >>     "kw": {
> >>       "status": "ERROR: pki-tomcat : Internal error testing CA
> >> clone. Host: freeipa01.tjako.thuis Port: 443"
> >>     }
> >>   }
> >> ]
> >>
> >> I double checked the firewall and all ports were open on the el9
> >> server
> >> firewall-cmd --list-all
> >> public (active)
> >>   target: default
> >>   icmp-block-inversion: no
> >>   interfaces: br0 enp1s0
> >>   sources:
> >>   services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps
> >> http https ntp ssh
> >>   ports:
> >>   protocols:
> >>   forward: yes
> >>   masquerade: no
> >>   forward-ports:
> >>   source-ports:
> >>   icmp-blocks:
> >>   rich rules:
> >>
> >> On the el9 server ipa-healthcheck yields no errors and ipactl
> >> status shows everything is
> >> running.
> >>
> >> Anybody know why the old el8 server fails the ipa-healthcheck ?
> >
> > Assuming that the new server (as a replica of the el8 server) was
> > installed including all the server roles present on el8, I guess
> > there are more steps to be completed, here you can find the full
> > migration guide:
> >
> >
>   https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9
> >
> > is freeipa01.tjako.thuis the new server?
> >
> >
> >>
> >> Rob
> >>
> >>
> >> _______________________________________________
> >> FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> >> To unsubscribe send an email to
> freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> >> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
>