Rob Verduijn wrote: > Hello, > > I ran healthcheck with the debug option.There was a huge amount of > output which stopped after the healtherror I mentioned before. > > Sadly the amount also contained all certificates so I cannot post it here. > The debug output is quite overwhelming. > Could you give some pointers at to what I should be looking for ?
You can narrow the output by adding the cli options --source pki.server.healthcheck.clones.connectivity_and_data --check ClonesConnectivyAndDataCheck The error reported by the plugin is an internal error so you're looking for back traces or other suppressed output. rob > > Rob > > > Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>>: > > Rob Verduijn via FreeIPA-users wrote: > > I do have migration in mind, and I already have seen that doc. > > > > I double checked the roles, and the only two roles that are > enabled are > > CA-server and DNS-server. > > They are present on both systems. > > > > However currently I'm 'just' adding an el9 replica and the old el8 > > master can't seem to reach the ca accourding to the healthcheck. > > > > And I don't want to start migrating before the current situation has a > > good alth status for all the replicas/masters. > > Can you re-run it with --debug? Some older versions of healthcheck had a > bug in the debug switch where it got turned off while importing external > checks so if you don't get much, you've hit that. > > rob > > > > > > > Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García > > <ftriv...@redhat.com <mailto:ftriv...@redhat.com> > <mailto:ftriv...@redhat.com <mailto:ftriv...@redhat.com>>>: > > > > > > On 1/17/23 09:33, Rob Verduijn via FreeIPA-users wrote: > >> Hello all, > >> > >> I wanted to migrate my old el8 freeipa server to el9. > >> > >> So I installed a new system with el9 and configured a replica > on it. > >> > >> After this was completed I ran ipa-healthcheck on the new el9 > >> replica and all was well. > >> > >> However after this I ran ipa-healthcheck on the old el8 ipa > server > >> and I got the following error. > >> ipa-healthcheck > >> Internal server error 'Link' > >> [ > >> { > >> "source": > "pki.server.healthcheck.clones.connectivity_and_data", > >> "check": "ClonesConnectivyAndDataCheck", > >> "result": "ERROR", > >> "uuid": "5aea196e-1693-4c14-93c5-649286c8ef7f", > >> "when": "20230117082651Z", > >> "duration": "0.402024", > >> "kw": { > >> "status": "ERROR: pki-tomcat : Internal error testing CA > >> clone. Host: freeipa01.tjako.thuis Port: 443" > >> } > >> } > >> ] > >> > >> I double checked the firewall and all ports were open on the el9 > >> server > >> firewall-cmd --list-all > >> public (active) > >> target: default > >> icmp-block-inversion: no > >> interfaces: br0 enp1s0 > >> sources: > >> services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps > >> http https ntp ssh > >> ports: > >> protocols: > >> forward: yes > >> masquerade: no > >> forward-ports: > >> source-ports: > >> icmp-blocks: > >> rich rules: > >> > >> On the el9 server ipa-healthcheck yields no errors and ipactl > >> status shows everything is > >> running. > >> > >> Anybody know why the old el8 server fails the ipa-healthcheck ? > > > > Assuming that the new server (as a replica of the el8 server) was > > installed including all the server roles present on el8, I guess > > there are more steps to be completed, here you can find the full > > migration guide: > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9 > > > > is freeipa01.tjako.thuis the new server? > > > > > >> > >> Rob > >> > >> > >> _______________________________________________ > >> FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > >> To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > >> Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue