Hi,
The pki/httpd logs on the el9 are almost empty during the healthcheck on
the el8 system.
The pki/httpd logs on the el8 server complain quite a bit during the health
check on the el8 system.
I've attached them (just the tail from the logs during the ipa-healthcheck
running on the el8 system)
Rob
Op wo 18 jan. 2023 om 17:39 schreef Rob Crittenden <rcritten(a)redhat.com>:
It is trying to read three certs from the CA just to validate that
things are working. Some exception is being thrown during the POST. The
pki and/or httpd logs might contain more info.
rob
Rob Verduijn wrote:
> Hi,
>
> I don't see anything strange in the output but thats probably my
ignorance.
> With your extended command the output is now free of certs so I'm
> attaching it.
>
> Rob
>
>
> Op wo 18 jan. 2023 om 15:22 schreef Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>>:
>
> Rob Verduijn wrote:
> > Hello,
> >
> > I ran healthcheck with the debug option.There was a huge amount of
> > output which stopped after the healtherror I mentioned before.
> >
> > Sadly the amount also contained all certificates so I cannot post
> it here.
> > The debug output is quite overwhelming.
> > Could you give some pointers at to what I should be looking for ?
>
> You can narrow the output by adding the cli options --source
> pki.server.healthcheck.clones.connectivity_and_data --check
> ClonesConnectivyAndDataCheck
>
> The error reported by the plugin is an internal error so you're
looking
> for back traces or other suppressed output.
>
> rob
>
> >
> > Rob
> >
> >
> > Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>:
> >
> > Rob Verduijn via FreeIPA-users wrote:
> > > I do have migration in mind, and I already have seen that
doc.
> > >
> > > I double checked the roles, and the only two roles that are
> > enabled are
> > > CA-server and DNS-server.
> > > They are present on both systems.
> > >
> > > However currently I'm 'just' adding an el9 replica and
the
> old el8
> > > master can't seem to reach the ca accourding to the
healthcheck.
> > >
> > > And I don't want to start migrating before the current
> situation has a
> > > good alth status for all the replicas/masters.
> >
> > Can you re-run it with --debug? Some older versions of
> healthcheck had a
> > bug in the debug switch where it got turned off while
> importing external
> > checks so if you don't get much, you've hit that.
> >
> > rob
> >
> > >
> > >
> > > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García
> > > <ftrivino(a)redhat.com <mailto:ftrivino@redhat.com>
> <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>
> > <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>
> <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>>>:
> > >
> > >
> > > On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote:
> > >> Hello all,
> > >>
> > >> I wanted to migrate my old el8 freeipa server to el9.
> > >>
> > >> So I installed a new system with el9 and configured a
> replica
> > on it.
> > >>
> > >> After this was completed I ran ipa-healthcheck on the
> new el9
> > >> replica and all was well.
> > >>
> > >> However after this I ran ipa-healthcheck on the old el8
ipa
> > server
> > >> and I got the following error.
> > >> ipa-healthcheck
> > >> Internal server error 'Link'
> > >> [
> > >> {
> > >> "source":
> > "pki.server.healthcheck.clones.connectivity_and_data",
> > >> "check":
"ClonesConnectivyAndDataCheck",
> > >> "result": "ERROR",
> > >> "uuid":
"5aea196e-1693-4c14-93c5-649286c8ef7f",
> > >> "when": "20230117082651Z",
> > >> "duration": "0.402024",
> > >> "kw": {
> > >> "status": "ERROR: pki-tomcat :
Internal error
> testing CA
> > >> clone. Host: freeipa01.tjako.thuis Port: 443"
> > >> }
> > >> }
> > >> ]
> > >>
> > >> I double checked the firewall and all ports were open
> on the el9
> > >> server
> > >> firewall-cmd --list-all
> > >> public (active)
> > >> target: default
> > >> icmp-block-inversion: no
> > >> interfaces: br0 enp1s0
> > >> sources:
> > >> services: cockpit dhcpv6-client dns freeipa-ldap
> freeipa-ldaps
> > >> http https ntp ssh
> > >> ports:
> > >> protocols:
> > >> forward: yes
> > >> masquerade: no
> > >> forward-ports:
> > >> source-ports:
> > >> icmp-blocks:
> > >> rich rules:
> > >>
> > >> On the el9 server ipa-healthcheck yields no errors and
> ipactl
> > >> status shows everything is
> > >> running.
> > >>
> > >> Anybody know why the old el8 server fails the
> ipa-healthcheck ?
> > >
> > > Assuming that the new server (as a replica of the el8
> server) was
> > > installed including all the server roles present on el8,
> I guess
> > > there are more steps to be completed, here you can find
> the full
> > > migration guide:
> > >
> > >
> >
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
> > >
> > > is freeipa01.tjako.thuis the new server?
> > >
> > >
> > >>
> > >> Rob
> > >>
> > >>
> > >> _______________________________________________
> > >> FreeIPA-users mailing list --
> > freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > >> To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > >> Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > >> List Guidelines:
> >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > >> List Archives:
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > >> Do not reply to spam, report it:
> >
https://pagure.io/fedora-infrastructure/new_issue
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > Do not reply to spam, report it:
> >
https://pagure.io/fedora-infrastructure/new_issue
> > >
> >
>