Hello all,
I've got a FreeIPA infra running on AlmaLinux 8.10 and totally up-to-date with
a trust-AD-domain
I find some strange errors when I run "ipa-healthcheck --failures-only" those
errors refer to an old server that has been removed from the FreeIPA infra for
a long time and all has been removed from DNS and everything, but apparently
some old related things remains, but I cannot find where...
I cannot find the name of that no longer existing server anywhere on the
machines running the FreeIPA server and replicas...
How could I fix that ?
Thanks for your help.
# ipa-healthcheck --failures-only
Internal server error HTTPSConnectionPool(host='srvmiddl03.domain.intra',
port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused
by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
0x7fa37a4f8dd8>: Failed to establish a new connection: [Errno -2] Name or
service not known',))
Unable to reach KRA at https://srvmid03.domain.intra:443:
HTTPSConnectionPool(host='srvmiddl03.domain.intra', port=443): Max retries
exceeded with url: /kra/admin/kra/getStatus (Caused by
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
0x7fa37a4f8e48>: Failed to establish a new connection: [Errno -2] Name or
service not known',))
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "6f63aaf6-2079-4f60-ac2e-c47f7a9ae03f",
"when": "20241108094743Z",
"duration": "0.063539",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone. Host:
srvmiddl03.domain.intra Port: 443"
}
},
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "1f9569b5-224f-488e-823d-15cfc3fbf782",
"when": "20241108094744Z",
"duration": "0.982430",
"kw": {
"status": "ERROR: pki-tomcat : Unable to reach KRA at
https://srvmid03.domain.intra:443:
HTTPSConnectionPool(host='srvmiddl03.domain.intra', port=443): Max retries
exceeded with url: /kra/admin/kra/getStatus (Caused by
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
0x7fa37a4f8e48>: Failed to establish a new connection: [Errno -2] Name or
service not known',))"
}
},
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "KRADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "c4419f0e-0598-4f93-a92e-dc74b9418d88",
"when": "20241108095410Z",
"duration": "0.035134",
"kw": {
"key": "kra_sslserver",
"nickname": "Server-Cert cert-pki-ca",
"directive": "kra.sslserver.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'Server-Cert cert-pki-ca' does not match the value of
kra.sslserver.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
},
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "KRADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "240a2325-0c76-4638-98a2-064ae5a5b002",
"when": "20241108095410Z",
"duration": "0.067181",
"kw": {
"key": "kra_subsystem",
"nickname": "subsystemCert cert-pki-ca",
"directive": "kra.subsystem.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'subsystemCert cert-pki-ca' does not match the value
of kra.subsystem.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
},
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "KRADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "2b2239b4-543d-4826-b13b-d0ec736f959d",
"when": "20241108095410Z",
"duration": "0.099616",
"kw": {
"key": "kra_transport",
"nickname": "transportCert cert-pki-kra",
"directive": "kra.transport.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'transportCert cert-pki-kra' does not match the value
of kra.transport.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
},
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "KRADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "9dd366cc-d421-4e50-86f4-62c58b512ec8",
"when": "20241108095410Z",
"duration": "0.132474",
"kw": {
"key": "kra_storage",
"nickname": "storageCert cert-pki-kra",
"directive": "kra.storage.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'storageCert cert-pki-kra' does not match the value
of kra.storage.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
},
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "KRADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "273a6f31-b66f-43c4-90ac-7069db9d8fe4",
"when": "20241108095410Z",
"duration": "0.165108",
"kw": {
"key": "kra_audit_signing",
"nickname": "auditSigningCert cert-pki-kra",
"directive": "kra.audit_signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
"msg": "Certificate 'auditSigningCert cert-pki-kra' does not match the
value of kra.audit_signing.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
}
},
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "24a3b4a5-25fc-41d4-9d98-b1e2ff4020bc",
"when": "20241108095411Z",
"duration": "0.456625",
"kw": {
"key": "transportCert cert-pki-kra",
"directive": "ca.connector.KRA.transportCert",
"configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"msg": "Certificate 'transportCert cert-pki-kra' does not match the value
of ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
}
}
]
[https://www.win.be/images/fr/logowin.jpg]
Bernard LHEUREUX
Linux & System Engineer
Mob. +32 475 530 311 <tel:+32475530311>
win.be <https://www.win.be/>
[facebook]<http://www.youtube.com/channel/UC-rXMcRf_tMl5K4EBHKWpGg> [linkedin]
<https://www.linkedin.com/company/win-s-a-/> [twitter]
<https://twitter.com/win_ICTpartner>
________________________________
1/Conform?ment ? notre certification ISO 27001, ce message et toute pi?ce
jointe sont la propri?t? exclusive de Win. L'information contenue dans cet e-
mail peut s'av?rer confidentielle et d?s lors prot?g?e de toute divulgation. Si
vous avez re?u cette communication par erreur, veuillez nous en informer
imm?diatement en r?pondant ? ce message et en le supprimant de votre
ordinateur, sans le copier ni le divulguer.
2/L'acceptation de toute offre commerciale (quel qu'en soit le support) emporte
l'adh?sion aux descriptifs (notamment techniques) inh?rents aux solutions
offertes, ainsi qu'aux conditions commerciales g?n?rales de Win, consultables
via https://www.win.be/cgv
DISCLAIMER : https://www.win.be/fr-win/disclaimer.htm
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
