Kees Bakker via FreeIPA-users wrote:
> On 29-05-2021 10:21, Alexander Bokovoy wrote:
>> On pe, 28 touko 2021, Kees Bakker via FreeIPA-users wrote:
>>> On 28-05-2021 19:32, Kees Bakker via FreeIPA-users wrote:
>>>> On 28-05-2021 17:22, Kees Bakker via FreeIPA-users wrote:
>>>>> Hi,
>>>>>
>>>>> After installing a new replica and running
>>>>>
>>>>> /usr/bin/ipa-healthcheck --source
>>>>> pki.server.healthcheck.clones.connectivity_and_data
>>>>>
>>>>> I'm getting this error
>>>>>
>>>>> keyctl_search: Required key not available
>>>>> Enter password for Internal Key Storage Token:
>>>>> Internal server error
HTTPSConnectionPool(host='iparep3.ghs.nl',
>>>>> port=443): Max retries exceeded with url:
>>>>> /ca/rest/certs/search?size=3 (Caused by
>>>>>
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection
>>>>> object at 0x7fc473262a90>: Failed to establish a new connection:
>>>>> [Errno 113] No route to host',))
>>>>> [
>>>>> {
>>>>> "source":
"pki.server.healthcheck.clones.connectivity_and_data",
>>>>> "check": "ClonesConnectivyAndDataCheck",
>>>>> "result": "ERROR",
>>>>> "uuid":
"c2f3ec1d-494b-4f6a-b6e3-0e38108f2005",
>>>>> "when": "20210528150818Z",
>>>>> "duration": "30.348789",
>>>>> "kw": {
>>>>> "status": "ERROR: pki-tomcat : Internal error
testing CA
>>>>> clone. Host: iparep3.ghs.nl Port: 443"
>>>>> }
>>>>> }
>>>>> ]
>>>>>
>>>>> First, it is asking for a password, and I have no clue for what.
I've
>>>>> tried the admin password and the Directory Manager password. It
>>>>> makes no difference.
>>>>>
>>>>> Second, it tries to connect to a replica that was removed several
>>>>> months
>>>>> ago. Both ipa-replica-manage list and ipa-csreplica-manage show the
>>>>> correct list of masters that we currently have.
>>>>>
>>>>> Where does ipa-healthcheck get the information from to query the
>>>>> removed
>>>>> replica?
>>>>>
>>>>> BTW. Two replica run CentOS 8 Stream, and one runs CentOS 7. The
>>>>> first two give
>>>>> this healthcheck error, the centos7 master does not.
>>>> That last remark should be: on CentOS 7 there was no such check. So,
>>>> perhaps
>>>> the error is there too.
>>>>
>>>> # /usr/bin/ipa-healthcheck --source
>>>> pki.server.healthcheck.clones.connectivity_and_data
>>>> Source 'pki.server.healthcheck.clones.connectivity_and_data' not
found
>>> The problem seems to be that PKI has its own information about
>>> masters (and clones). In our PKI configuration there are still two hosts
>>> that were deleted from FreeIPA a long time ago. So, the
>>> ipa-replica-manage del
>>> command did not remove them from PKI??
>> CA replica management is done with 'ipa-csreplica-manage' tool, not
>> 'ipa-replica-manage'.
>>
>>
> But I did use "ipa-csreplica-manage del" as well. However, I remember
> that it
> complained it couldn't remove that host. I was assuming it was already
> gone.
> When I list with ipa-csreplica-manage then I don't see the old hosts
> anymore.
>
> So, two things
> 1) "ipa-csreplica-manage del" somehow failed (it's probably too late
to
> look at logs)
> 2) how can I still remove the old hosts?
I'm not sure how to remove hosts from the CA-managed security domain but
you can show the hosts it knows about with pki securitydomain-show to
confirm that this is where it is finding the old one.
This check is provided by dogtag and executed within ipa-healthcheck.
Can you open a ticket on it at
https://github.com/dogtagpki/pki/
rob