Hello all, I wanted to migrate my old el8 freeipa server to el9. So I installed a new system with el9 and configured a replica on it. After this was completed I ran ipa-healthcheck on the new el9 replica and all was well. However after this I ran ipa-healthcheck on the old el8 ipa server and I got the following error. ipa-healthcheck Internal server error 'Link' [  {    "source": "pki.server.healthcheck.clones.connectivity_and_data",    "check": "ClonesConnectivyAndDataCheck",    "result": "ERROR",    "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f",    "when": "20230117082651Z",    "duration": "0.402024",    "kw": {      "status": "ERROR:  pki-tomcat : Internal error testing CA clone. Host: freeipa01.tjako.thuis Port: 443"    }  } ] I double checked the firewall and all ports were open on the el9 server firewall-cmd --list-all public (active)  target: default  icmp-block-inversion: no  interfaces: br0 enp1s0  sources:  services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps http https ntp ssh  ports:  protocols:  forward: yes  masquerade: no  forward-ports:  source-ports:  icmp-blocks:  rich rules: On the el9 server ipa-healthcheck yields no errors and ipactl status shows everything is running. Anybody know why the old el8 server fails the ipa-healthcheck ?

Rob _______________________________________________ FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists... Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue

I do have migration in mind, and I already have seen that doc. I double checked the roles, and the only two roles that are enabled are CA-server and DNS-server. They are present on both systems. However currently I'm 'just' adding an el9 replica and the old el8 master can't seem to reach the ca accourding to the healthcheck. And I don't want to start migrating before the current situation has a good alth status for all the replicas/masters.

Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García <ftrivino(a)redhat.com <mailto:ftrivino@redhat.com>>: On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote: > Hello all, > > I wanted to migrate my old el8 freeipa server to el9. > > So I installed a new system with el9 and configured a replica on it. > > After this was completed I ran ipa-healthcheck on the new el9 > replica and all was well. > > However after this I ran ipa-healthcheck on the old el8 ipa server > and I got the following error. > ipa-healthcheck   > Internal server error 'Link' > [ >  { >    "source": "pki.server.healthcheck.clones.connectivity_and_data", >    "check": "ClonesConnectivyAndDataCheck", >    "result": "ERROR", >    "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f", >    "when": "20230117082651Z", >    "duration": "0.402024", >    "kw": { >      "status": "ERROR:  pki-tomcat : Internal error testing CA > clone. Host: freeipa01.tjako.thuis Port: 443" >    } >  } > ] > > I double checked the firewall and all ports were open on the el9 > server > firewall-cmd --list-all > public (active) >  target: default >  icmp-block-inversion: no >  interfaces: br0 enp1s0 >  sources:   >  services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps > http https ntp ssh >  ports:   >  protocols:   >  forward: yes >  masquerade: no >  forward-ports:   >  source-ports:   >  icmp-blocks:   >  rich rules: > > On the el9 server ipa-healthcheck yields no errors and ipactl > status shows everything is > running. > > Anybody know why the old el8 server fails the ipa-healthcheck ? Assuming that the new server (as a replica of the el8 server) was installed including all the server roles present on el8, I guess there are more steps to be completed, here you can find the full migration guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/... is freeipa01.tjako.thuis the new server? > > Rob > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Hello, I ran healthcheck with the debug option.There was a huge amount of output which stopped after the healtherror I mentioned before. Sadly the amount also contained all certificates so I cannot post it here. The debug output is quite overwhelming. Could you give some pointers at to what I should be looking for ?

Rob Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com>>: Rob Verduijn via FreeIPA-users wrote: > I do have migration in mind, and I already have seen that doc. > > I double checked the roles, and the only two roles that are enabled are > CA-server and DNS-server. > They are present on both systems. > > However currently I'm 'just' adding an el9 replica and the old el8 > master can't seem to reach the ca accourding to the healthcheck. > > And I don't want to start migrating before the current situation has a > good alth status for all the replicas/masters. Can you re-run it with --debug? Some older versions of healthcheck had a bug in the debug switch where it got turned off while importing external checks so if you don't get much, you've hit that. rob > > > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García > <ftrivino(a)redhat.com <mailto:ftrivino@redhat.com> <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>>: > > >     On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote: >>     Hello all, >> >>     I wanted to migrate my old el8 freeipa server to el9. >> >>     So I installed a new system with el9 and configured a replica on it. >> >>     After this was completed I ran ipa-healthcheck on the new el9 >>     replica and all was well. >> >>     However after this I ran ipa-healthcheck on the old el8 ipa server >>     and I got the following error. >>     ipa-healthcheck   >>     Internal server error 'Link' >>     [ >>      { >>        "source": "pki.server.healthcheck.clones.connectivity_and_data", >>        "check": "ClonesConnectivyAndDataCheck", >>        "result": "ERROR", >>        "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f", >>        "when": "20230117082651Z", >>        "duration": "0.402024", >>        "kw": { >>          "status": "ERROR:  pki-tomcat : Internal error testing CA >>     clone. Host: freeipa01.tjako.thuis Port: 443" >>        } >>      } >>     ] >> >>     I double checked the firewall and all ports were open on the el9 >>     server >>     firewall-cmd --list-all >>     public (active) >>      target: default >>      icmp-block-inversion: no >>      interfaces: br0 enp1s0 >>      sources:   >>      services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps >>     http https ntp ssh >>      ports:   >>      protocols:   >>      forward: yes >>      masquerade: no >>      forward-ports:   >>      source-ports:   >>      icmp-blocks:   >>      rich rules: >> >>     On the el9 server ipa-healthcheck yields no errors and ipactl >>     status shows everything is >>     running. >> >>     Anybody know why the old el8 server fails the ipa-healthcheck ? > >     Assuming that the new server (as a replica of the el8 server) was >     installed including all the server roles present on el8, I guess >     there are more steps to be completed, here you can find the full >     migration guide: > >     https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9 > >     is freeipa01.tjako.thuis the new server? > > >> >>     Rob >> >> >>     _______________________________________________ >>     FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> >>     To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> >>     Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>     List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>     List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>     Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >

Hi, I don't see anything strange in the output but thats probably my ignorance. With your extended command the output is now free of certs so I'm attaching it. Rob Op wo 18 jan. 2023 om 15:22 schreef Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com>>: Rob Verduijn wrote: > Hello, > > I ran healthcheck with the debug option.There was a huge amount of > output which stopped after the healtherror I mentioned before. > > Sadly the amount also contained all certificates so I cannot post it here. > The debug output is quite overwhelming. > Could you give some pointers at to what I should be looking for ? You can narrow the output by adding the cli options --source pki.server.healthcheck.clones.connectivity_and_data --check ClonesConnectivyAndDataCheck The error reported by the plugin is an internal error so you're looking for back traces or other suppressed output. rob > > Rob > > > Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>: > >     Rob Verduijn via FreeIPA-users wrote: >     > I do have migration in mind, and I already have seen that doc. >     > >     > I double checked the roles, and the only two roles that are >     enabled are >     > CA-server and DNS-server. >     > They are present on both systems. >     > >     > However currently I'm 'just' adding an el9 replica and the old el8 >     > master can't seem to reach the ca accourding to the healthcheck. >     > >     > And I don't want to start migrating before the current situation has a >     > good alth status for all the replicas/masters. > >     Can you re-run it with --debug? Some older versions of healthcheck had a >     bug in the debug switch where it got turned off while importing external >     checks so if you don't get much, you've hit that. > >     rob > >     > >     > >     > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García >     > <ftrivino(a)redhat.com <mailto:ftrivino@redhat.com> <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>> >     <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com> <mailto:ftrivino@redhat.com <mailto:ftrivino@redhat.com>>>>: >     > >     > >     >     On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote: >     >>     Hello all, >     >> >     >>     I wanted to migrate my old el8 freeipa server to el9. >     >> >     >>     So I installed a new system with el9 and configured a replica >     on it. >     >> >     >>     After this was completed I ran ipa-healthcheck on the new el9 >     >>     replica and all was well. >     >> >     >>     However after this I ran ipa-healthcheck on the old el8 ipa >     server >     >>     and I got the following error. >     >>     ipa-healthcheck   >     >>     Internal server error 'Link' >     >>     [ >     >>      { >     >>        "source": >     "pki.server.healthcheck.clones.connectivity_and_data", >     >>        "check": "ClonesConnectivyAndDataCheck", >     >>        "result": "ERROR", >     >>        "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f", >     >>        "when": "20230117082651Z", >     >>        "duration": "0.402024", >     >>        "kw": { >     >>          "status": "ERROR:  pki-tomcat : Internal error testing CA >     >>     clone. Host: freeipa01.tjako.thuis Port: 443" >     >>        } >     >>      } >     >>     ] >     >> >     >>     I double checked the firewall and all ports were open on the el9 >     >>     server >     >>     firewall-cmd --list-all >     >>     public (active) >     >>      target: default >     >>      icmp-block-inversion: no >     >>      interfaces: br0 enp1s0 >     >>      sources:   >     >>      services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps >     >>     http https ntp ssh >     >>      ports:   >     >>      protocols:   >     >>      forward: yes >     >>      masquerade: no >     >>      forward-ports:   >     >>      source-ports:   >     >>      icmp-blocks:   >     >>      rich rules: >     >> >     >>     On the el9 server ipa-healthcheck yields no errors and ipactl >     >>     status shows everything is >     >>     running. >     >> >     >>     Anybody know why the old el8 server fails the ipa-healthcheck ? >     > >     >     Assuming that the new server (as a replica of the el8 server) was >     >     installed including all the server roles present on el8, I guess >     >     there are more steps to be completed, here you can find the full >     >     migration guide: >     > >     >    >      https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9 >     > >     >     is freeipa01.tjako.thuis the new server? >     > >     > >     >> >     >>     Rob >     >> >     >> >     >>     _______________________________________________ >     >>     FreeIPA-users mailing list -- >     freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >     <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> >     <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >     <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> >     >>     To unsubscribe send an email to >     freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >     <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> >     <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >     <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> >     >>     Fedora Code of Conduct: >     https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >     >>     List Guidelines: >     https://fedoraproject.org/wiki/Mailing_list_guidelines >     >>     List Archives: >     https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >     >>     Do not reply to spam, report it: >     https://pagure.io/fedora-infrastructure/new_issue >     > >     > >     > _______________________________________________ >     > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >     <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> >     > To unsubscribe send an email to >     freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >     <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> >     > Fedora Code of Conduct: >     https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >     > List Guidelines: >     https://fedoraproject.org/wiki/Mailing_list_guidelines >     > List Archives: >     https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >     > Do not reply to spam, report it: >     https://pagure.io/fedora-infrastructure/new_issue >     > >