hi all,
some more info: i just saw similar error on other thread "healthcheck
complains about a removed replica"
i ran "pki securitydomain-host-find" and got
> Host ID: CA oldm1.domain 443
> Hostname: oldm1.domain
> Port: 80
> Secure Port: 443
> Domain Manager: TRUE
> Clone: FALSE
>
> Host ID: CA oldm2.domain 443
> Hostname: oldm2.domain
> Port: 80
> Secure Port: 443
> Domain Manager: TRUE
> Clone: TRUE
>
> Host ID: CA newm4.domain 443
> Hostname: newm4.domain
> Port: 80
> Secure Port: 443
> Domain Manager: TRUE
> Clone: TRUE
>
> Host ID: CA newm3.domain 443
> Hostname: newm3.domain
> Port: 80
> Secure Port: 443
> Domain Manager: TRUE
> Clone: TRUE
stijn
On 6/1/21 2:28 PM, Stijn De Weirdt via FreeIPA-users wrote:
> hi all,
>
> our ipa-healthcheck gives some seemingly odd output:
>
>> Internal server error HTTPSConnectionPool(host='oldm2.domain', port=443):
>> Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by
>> NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
>> 0x7f32581cb748>: Failed to establish a new connection: [Errno -2] Name or
>> service not known',))
>> [
>> {
>> "source": "pki.server.healthcheck.clones.connectivity_and_data",
>> "check": "ClonesConnectivyAndDataCheck",
>> "result": "ERROR",
>> "uuid": "c7694559-157f-42da-9722-29ab4308d8bc",
>> "when": "20210601115956Z",
>> "duration": "0.424097",
>> "kw": {
>> "status": "ERROR: pki-tomcat : Internal error testing CA clone. Host:
>> oldm2.domain Port: 443"
>> }
>> },
>
> googling the error itself, i find references to this being a false
> positive; but looking closer (and also the initial server error) give an
> actual error: they reference an old master (it's obviously not called
> oldm2, so i had to read it a few times to see it was actually this old
> host).
>
> a while ago we migrated our centos7 setup (oldm1 and oldm2) to rhel82
> (newm3 and newm4), by following the migration guide
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating
>
> i'm quite sure we followed all steps, including the final uninstall on
> oldm1 and oldm2.
>
> however, after starting to run ipa-healthcheck recently and seeing this
> error, we looked for other traces of the old servers and started to
> clean them up. the old hosts are no longer around, so no chance to rerun
> things or check logs.
>
> so far we removed a bunch of DNS entries where the oldm1 was still used,
> but we now also have some other ones that reference oldm2: e.g. the pki
> related error above, but also oldm2 is still referenced in some entries
> in our dirserv dse.ldif (2 nsslapd-referral, 3 nsds50ruv and 3
> nsruvReplicaLastModified). the traces are only of oldm2, not sign of
> oldm1 there.
>
> i'd appreciate some tips/guidance for removing the pki reference to
> oldm2 and things we can do to cleanup the dse.ldif
>
> many many thanks,
>
> stijn
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
