Rob Verduijn via FreeIPA-users wrote: > I do have migration in mind, and I already have seen that doc. > > I double checked the roles, and the only two roles that are enabled are > CA-server and DNS-server. > They are present on both systems. > > However currently I'm 'just' adding an el9 replica and the old el8 > master can't seem to reach the ca accourding to the healthcheck. > > And I don't want to start migrating before the current situation has a > good alth status for all the replicas/masters.
Can you re-run it with --debug? Some older versions of healthcheck had a bug in the debug switch where it got turned off while importing external checks so if you don't get much, you've hit that. rob > > > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García > <[email protected] <mailto:[email protected]>>: > > > On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote: >> Hello all, >> >> I wanted to migrate my old el8 freeipa server to el9. >> >> So I installed a new system with el9 and configured a replica on it. >> >> After this was completed I ran ipa-healthcheck on the new el9 >> replica and all was well. >> >> However after this I ran ipa-healthcheck on the old el8 ipa server >> and I got the following error. >> ipa-healthcheck >> Internal server error 'Link' >> [ >> { >> "source": "pki.server.healthcheck.clones.connectivity_and_data", >> "check": "ClonesConnectivyAndDataCheck", >> "result": "ERROR", >> "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f", >> "when": "20230117082651Z", >> "duration": "0.402024", >> "kw": { >> "status": "ERROR: pki-tomcat : Internal error testing CA >> clone. Host: freeipa01.tjako.thuis Port: 443" >> } >> } >> ] >> >> I double checked the firewall and all ports were open on the el9 >> server >> firewall-cmd --list-all >> public (active) >> target: default >> icmp-block-inversion: no >> interfaces: br0 enp1s0 >> sources: >> services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps >> http https ntp ssh >> ports: >> protocols: >> forward: yes >> masquerade: no >> forward-ports: >> source-ports: >> icmp-blocks: >> rich rules: >> >> On the el9 server ipa-healthcheck yields no errors and ipactl >> status shows everything is >> running. >> >> Anybody know why the old el8 server fails the ipa-healthcheck ? > > Assuming that the new server (as a replica of the el8 server) was > installed including all the server roles present on el8, I guess > there are more steps to be completed, here you can find the full > migration guide: > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9 > > is freeipa01.tjako.thuis the new server? > > >> >> Rob >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> To unsubscribe send an email to >> [email protected] >> <mailto:[email protected]> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
