On 01-06-2021 18:01, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
On 29-05-2021 10:21, Alexander Bokovoy wrote:
On pe, 28 touko 2021, Kees Bakker via FreeIPA-users wrote:
On 28-05-2021 19:32, Kees Bakker via FreeIPA-users wrote:
On 28-05-2021 17:22, Kees Bakker via FreeIPA-users wrote:
Hi,
After installing a new replica and running
/usr/bin/ipa-healthcheck --source
pki.server.healthcheck.clones.connectivity_and_data
I'm getting this error
keyctl_search: Required key not available
Enter password for Internal Key Storage Token:
Internal server error HTTPSConnectionPool(host='iparep3.ghs.nl',
port=443): Max retries exceeded with url:
/ca/rest/certs/search?size=3 (Caused by
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection
object at 0x7fc473262a90>: Failed to establish a new connection:
[Errno 113] No route to host',))
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "c2f3ec1d-494b-4f6a-b6e3-0e38108f2005",
"when": "20210528150818Z",
"duration": "30.348789",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA
clone. Host: iparep3.ghs.nl Port: 443"
}
}
]
First, it is asking for a password, and I have no clue for what. I've
tried the admin password and the Directory Manager password. It
makes no difference.
Second, it tries to connect to a replica that was removed several
months
ago. Both ipa-replica-manage list and ipa-csreplica-manage show the
correct list of masters that we currently have.
Where does ipa-healthcheck get the information from to query the
removed
replica?
BTW. Two replica run CentOS 8 Stream, and one runs CentOS 7. The
first two give
this healthcheck error, the centos7 master does not.
That last remark should be: on CentOS 7 there was no such check. So,
perhaps
the error is there too.
# /usr/bin/ipa-healthcheck --source
pki.server.healthcheck.clones.connectivity_and_data
Source 'pki.server.healthcheck.clones.connectivity_and_data' not found
The problem seems to be that PKI has its own information about
masters (and clones). In our PKI configuration there are still two hosts
that were deleted from FreeIPA a long time ago. So, the
ipa-replica-manage del
command did not remove them from PKI??
CA replica management is done with 'ipa-csreplica-manage' tool, not
'ipa-replica-manage'.
But I did use "ipa-csreplica-manage del" as well. However, I remember
that it
complained it couldn't remove that host. I was assuming it was already
gone.
When I list with ipa-csreplica-manage then I don't see the old hosts
anymore.
So, two things
1) "ipa-csreplica-manage del" somehow failed (it's probably too late to
look at logs)
2) how can I still remove the old hosts?
I'm not sure how to remove hosts from the CA-managed security domain but
you can show the hosts it knows about with pki securitydomain-show to
confirm that this is where it is finding the old one.
This check is provided by dogtag and executed within ipa-healthcheck.
Can you open a ticket on it at https://github.com/dogtagpki/pki/
rob
https://github.com/dogtagpki/pki/issues/3552
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
