It is trying to read three certs from the CA just to validate that things are working. Some exception is being thrown during the POST. The pki and/or httpd logs might contain more info.
rob Rob Verduijn wrote: > Hi, > > I don't see anything strange in the output but thats probably my ignorance. > With your extended command the output is now free of certs so I'm > attaching it. > > Rob > > > Op wo 18 jan. 2023 om 15:22 schreef Rob Crittenden <[email protected] > <mailto:[email protected]>>: > > Rob Verduijn wrote: > > Hello, > > > > I ran healthcheck with the debug option.There was a huge amount of > > output which stopped after the healtherror I mentioned before. > > > > Sadly the amount also contained all certificates so I cannot post > it here. > > The debug output is quite overwhelming. > > Could you give some pointers at to what I should be looking for ? > > You can narrow the output by adding the cli options --source > pki.server.healthcheck.clones.connectivity_and_data --check > ClonesConnectivyAndDataCheck > > The error reported by the plugin is an internal error so you're looking > for back traces or other suppressed output. > > rob > > > > > Rob > > > > > > Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > Rob Verduijn via FreeIPA-users wrote: > > > I do have migration in mind, and I already have seen that doc. > > > > > > I double checked the roles, and the only two roles that are > > enabled are > > > CA-server and DNS-server. > > > They are present on both systems. > > > > > > However currently I'm 'just' adding an el9 replica and the > old el8 > > > master can't seem to reach the ca accourding to the healthcheck. > > > > > > And I don't want to start migrating before the current > situation has a > > > good alth status for all the replicas/masters. > > > > Can you re-run it with --debug? Some older versions of > healthcheck had a > > bug in the debug switch where it got turned off while > importing external > > checks so if you don't get much, you've hit that. > > > > rob > > > > > > > > > > > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García > > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>: > > > > > > > > > On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote: > > >> Hello all, > > >> > > >> I wanted to migrate my old el8 freeipa server to el9. > > >> > > >> So I installed a new system with el9 and configured a > replica > > on it. > > >> > > >> After this was completed I ran ipa-healthcheck on the > new el9 > > >> replica and all was well. > > >> > > >> However after this I ran ipa-healthcheck on the old el8 ipa > > server > > >> and I got the following error. > > >> ipa-healthcheck > > >> Internal server error 'Link' > > >> [ > > >> { > > >> "source": > > "pki.server.healthcheck.clones.connectivity_and_data", > > >> "check": "ClonesConnectivyAndDataCheck", > > >> "result": "ERROR", > > >> "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f", > > >> "when": "20230117082651Z", > > >> "duration": "0.402024", > > >> "kw": { > > >> "status": "ERROR: pki-tomcat : Internal error > testing CA > > >> clone. Host: freeipa01.tjako.thuis Port: 443" > > >> } > > >> } > > >> ] > > >> > > >> I double checked the firewall and all ports were open > on the el9 > > >> server > > >> firewall-cmd --list-all > > >> public (active) > > >> target: default > > >> icmp-block-inversion: no > > >> interfaces: br0 enp1s0 > > >> sources: > > >> services: cockpit dhcpv6-client dns freeipa-ldap > freeipa-ldaps > > >> http https ntp ssh > > >> ports: > > >> protocols: > > >> forward: yes > > >> masquerade: no > > >> forward-ports: > > >> source-ports: > > >> icmp-blocks: > > >> rich rules: > > >> > > >> On the el9 server ipa-healthcheck yields no errors and > ipactl > > >> status shows everything is > > >> running. > > >> > > >> Anybody know why the old el8 server fails the > ipa-healthcheck ? > > > > > > Assuming that the new server (as a replica of the el8 > server) was > > > installed including all the server roles present on el8, > I guess > > > there are more steps to be completed, here you can find > the full > > > migration guide: > > > > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9 > > > > > > is freeipa01.tjako.thuis the new server? > > > > > > > > >> > > >> Rob > > >> > > >> > > >> _______________________________________________ > > >> FreeIPA-users mailing list -- > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > >> To unsubscribe send an email to > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > >> Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > >> List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >> List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > >> Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > To unsubscribe send an email to > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
