hi all,
our ipa-healthcheck gives some seemingly odd output:
Internal server error HTTPSConnectionPool(host='oldm2.domain', port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f32581cb748>: Failed to establish a new connection: [Errno -2] Name or service not known',)) [ { "source": "pki.server.healthcheck.clones.connectivity_and_data", "check": "ClonesConnectivyAndDataCheck", "result": "ERROR", "uuid": "c7694559-157f-42da-9722-29ab4308d8bc", "when": "20210601115956Z", "duration": "0.424097", "kw": { "status": "ERROR: pki-tomcat : Internal error testing CA clone. Host: oldm2.domain Port: 443" } },
googling the error itself, i find references to this being a false positive; but looking closer (and also the initial server error) give an actual error: they reference an old master (it's obviously not called oldm2, so i had to read it a few times to see it was actually this old host).
a while ago we migrated our centos7 setup (oldm1 and oldm2) to rhel82 (newm3 and newm4), by following the migration guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
i'm quite sure we followed all steps, including the final uninstall on oldm1 and oldm2.
however, after starting to run ipa-healthcheck recently and seeing this error, we looked for other traces of the old servers and started to clean them up. the old hosts are no longer around, so no chance to rerun things or check logs.
so far we removed a bunch of DNS entries where the oldm1 was still used, but we now also have some other ones that reference oldm2: e.g. the pki related error above, but also oldm2 is still referenced in some entries in our dirserv dse.ldif (2 nsslapd-referral, 3 nsds50ruv and 3 nsruvReplicaLastModified). the traces are only of oldm2, not sign of oldm1 there.
i'd appreciate some tips/guidance for removing the pki reference to oldm2 and things we can do to cleanup the dse.ldif
many many thanks,
stijn
hi all,
some more info: i just saw similar error on other thread "healthcheck complains about a removed replica"
i ran "pki securitydomain-host-find" and got
Host ID: CA oldm1.domain 443 Hostname: oldm1.domain Port: 80 Secure Port: 443 Domain Manager: TRUE Clone: FALSE
Host ID: CA oldm2.domain 443 Hostname: oldm2.domain Port: 80 Secure Port: 443 Domain Manager: TRUE Clone: TRUE
Host ID: CA newm4.domain 443 Hostname: newm4.domain Port: 80 Secure Port: 443 Domain Manager: TRUE Clone: TRUE
Host ID: CA newm3.domain 443 Hostname: newm3.domain Port: 80 Secure Port: 443 Domain Manager: TRUE Clone: TRUE
stijn
On 6/1/21 2:28 PM, Stijn De Weirdt via FreeIPA-users wrote:
hi all,
our ipa-healthcheck gives some seemingly odd output:
Internal server error HTTPSConnectionPool(host='oldm2.domain', port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f32581cb748>: Failed to establish a new connection: [Errno -2] Name or service not known',)) [ { "source": "pki.server.healthcheck.clones.connectivity_and_data", "check": "ClonesConnectivyAndDataCheck", "result": "ERROR", "uuid": "c7694559-157f-42da-9722-29ab4308d8bc", "when": "20210601115956Z", "duration": "0.424097", "kw": { "status": "ERROR: pki-tomcat : Internal error testing CA clone. Host: oldm2.domain Port: 443" } },
googling the error itself, i find references to this being a false positive; but looking closer (and also the initial server error) give an actual error: they reference an old master (it's obviously not called oldm2, so i had to read it a few times to see it was actually this old host).
a while ago we migrated our centos7 setup (oldm1 and oldm2) to rhel82 (newm3 and newm4), by following the migration guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
i'm quite sure we followed all steps, including the final uninstall on oldm1 and oldm2.
however, after starting to run ipa-healthcheck recently and seeing this error, we looked for other traces of the old servers and started to clean them up. the old hosts are no longer around, so no chance to rerun things or check logs.
so far we removed a bunch of DNS entries where the oldm1 was still used, but we now also have some other ones that reference oldm2: e.g. the pki related error above, but also oldm2 is still referenced in some entries in our dirserv dse.ldif (2 nsslapd-referral, 3 nsds50ruv and 3 nsruvReplicaLastModified). the traces are only of oldm2, not sign of oldm1 there.
i'd appreciate some tips/guidance for removing the pki reference to oldm2 and things we can do to cleanup the dse.ldif
many many thanks,
stijn _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org