On pe, 28 touko 2021, Kees Bakker via FreeIPA-users wrote:
On 28-05-2021 19:32, Kees Bakker via FreeIPA-users wrote:
>*** EXTERNAL E-MAIL ***
>
>
>On 28-05-2021 17:22, Kees Bakker via FreeIPA-users wrote:
>>Hi,
>>
>>After installing a new replica and running
>>
>>/usr/bin/ipa-healthcheck --source
pki.server.healthcheck.clones.connectivity_and_data
>>
>>I'm getting this error
>>
>>keyctl_search: Required key not available
>>Enter password for Internal Key Storage Token:
>>Internal server error HTTPSConnectionPool(host='iparep3.ghs.nl',
port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
0x7fc473262a90>: Failed to establish a new connection: [Errno 113] No route to
host',))
>>[
>> {
>> "source":
"pki.server.healthcheck.clones.connectivity_and_data",
>> "check": "ClonesConnectivyAndDataCheck",
>> "result": "ERROR",
>> "uuid": "c2f3ec1d-494b-4f6a-b6e3-0e38108f2005",
>> "when": "20210528150818Z",
>> "duration": "30.348789",
>> "kw": {
>> "status": "ERROR: pki-tomcat : Internal error testing CA
clone. Host: iparep3.ghs.nl Port: 443"
>> }
>> }
>>]
>>
>>First, it is asking for a password, and I have no clue for what. I've
>>tried the admin password and the Directory Manager password. It
>>makes no difference.
>>
>>Second, it tries to connect to a replica that was removed several months
>>ago. Both ipa-replica-manage list and ipa-csreplica-manage show the
>>correct list of masters that we currently have.
>>
>>Where does ipa-healthcheck get the information from to query the removed
>>replica?
>>
>>BTW. Two replica run CentOS 8 Stream, and one runs CentOS 7. The first two give
>>this healthcheck error, the centos7 master does not.
>
>That last remark should be: on CentOS 7 there was no such check. So, perhaps
>the error is there too.
>
># /usr/bin/ipa-healthcheck --source
pki.server.healthcheck.clones.connectivity_and_data
>Source 'pki.server.healthcheck.clones.connectivity_and_data' not found
The problem seems to be that PKI has its own information about
masters (and clones). In our PKI configuration there are still two hosts
that were deleted from FreeIPA a long time ago. So, the
ipa-replica-manage del
command did not remove them from PKI??
CA replica management is done with 'ipa-csreplica-manage' tool, not
'ipa-replica-manage'.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland