On 28-05-2021 19:32, Kees Bakker via FreeIPA-users wrote:
*** EXTERNAL E-MAIL ***
On 28-05-2021 17:22, Kees Bakker via FreeIPA-users wrote:
Hi,
After installing a new replica and running
/usr/bin/ipa-healthcheck --source
pki.server.healthcheck.clones.connectivity_and_data
I'm getting this error
keyctl_search: Required key not available
Enter password for Internal Key Storage Token:
Internal server error HTTPSConnectionPool(host='iparep3.ghs.nl', port=443): Max
retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
0x7fc473262a90>: Failed to establish a new connection: [Errno 113] No route to
host',))
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "c2f3ec1d-494b-4f6a-b6e3-0e38108f2005",
"when": "20210528150818Z",
"duration": "30.348789",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone. Host:
iparep3.ghs.nl Port: 443"
}
}
]
First, it is asking for a password, and I have no clue for what. I've
tried the admin password and the Directory Manager password. It
makes no difference.
Second, it tries to connect to a replica that was removed several months
ago. Both ipa-replica-manage list and ipa-csreplica-manage show the
correct list of masters that we currently have.
Where does ipa-healthcheck get the information from to query the removed
replica?
BTW. Two replica run CentOS 8 Stream, and one runs CentOS 7. The first two give
this healthcheck error, the centos7 master does not.
That last remark should be: on CentOS 7 there was no such check. So, perhaps
the error is there too.
# /usr/bin/ipa-healthcheck --source
pki.server.healthcheck.clones.connectivity_and_data
Source 'pki.server.healthcheck.clones.connectivity_and_data' not found
The problem seems to be that PKI has its own information about
masters (and clones). In our PKI configuration there are still two hosts
that were deleted from FreeIPA a long time ago. So, the
ipa-replica-manage del
command did not remove them from PKI??
BTW, healthcheck uses this url to get that PKI info.
http://localhost:8080/ca/rest/securityDomain/domainInfo
How can I get rid of the two old hosts?
--
Kees
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
