lejeczek via FreeIPA-users wrote:

Hi guys.

I believe that is reproducible every time - clean deployment, first master's ipa-healthcheck no problems, replica added still no problems, then on that first replica 'ipa-kra-install' and immediately:

-> $ ipa-healthcheck Internal error testing KRA clone. KRA clone problem detected Host: swir.mine.private Port: 443 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 Unhandler rdtype 256 [   {     "source": "pki.server.healthcheck.clones.connectivity_and_data",     "check": "ClonesConnectivyAndDataCheck",     "result": "ERROR",     "uuid": "eed4f41f-27fe-4f37-aa01-d47602f2c58f",     "when": "20220126174106Z",     "duration": "1.207738",     "kw": {       "status": "ERROR:  pki-tomcat : Internal error testing KRA clone. Host: swir.mine.private Port: 443"     }   } ]

How critical is that and what to do to fix it?

I believe this is a false positive. The pki healthcheck maintainer is working on it.

The "Unhandler" errors are the newish DNS URI records that are currently unhandled by healthcheck. Support has been added in the tip but I have a few more things to merge before doing another full release (which of course will take a while to trickle down, if ever, into existing distribution releases).

rob