Hi,
I'm not sure the issue is really on PKI side. On ipa server-del call,
IPA should also make sure to call something similar to
pki securitydomain-host-del to make sure that the host is removed from
PKI security domain.
This was tracked in BZ 1740702
<
https://bugzilla.redhat.com/show_bug.cgi?id=1740702> that was closed as
Duplicate, but I believe this was a mistake (the other bug 1902173
<
https://bugzilla.redhat.com/show_bug.cgi?id=1902173> was about not
crashing if KRA unregistration failed).
I agree. I re-opened the BZ.
rob
flo
On Thu, Jun 3, 2021 at 12:16 PM Kees Bakker via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
On 01-06-2021 18:01, Rob Crittenden wrote:
> Kees Bakker via FreeIPA-users wrote:
>> On 29-05-2021 10:21, Alexander Bokovoy wrote:
>>> On pe, 28 touko 2021, Kees Bakker via FreeIPA-users wrote:
>>>> On 28-05-2021 19:32, Kees Bakker via FreeIPA-users wrote:
>>>>> On 28-05-2021 17:22, Kees Bakker via FreeIPA-users wrote:
>>>>>> Hi,
>>>>>>
>>>>>> After installing a new replica and running
>>>>>>
>>>>>> /usr/bin/ipa-healthcheck --source
>>>>>> pki.server.healthcheck.clones.connectivity_and_data
>>>>>>
>>>>>> I'm getting this error
>>>>>>
>>>>>> keyctl_search: Required key not available
>>>>>> Enter password for Internal Key Storage Token:
>>>>>> Internal server error
HTTPSConnectionPool(host='iparep3.ghs.nl <
http://iparep3.ghs.nl>';,
>>>>>> port=443): Max retries exceeded with url:
>>>>>> /ca/rest/certs/search?size=3 (Caused by
>>>>>>
NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection
>>>>>> object at 0x7fc473262a90>: Failed to establish a new
connection:
>>>>>> [Errno 113] No route to host',))
>>>>>> [
>>>>>> {
>>>>>> "source":
"pki.server.healthcheck.clones.connectivity_and_data",
>>>>>> "check":
"ClonesConnectivyAndDataCheck",
>>>>>> "result": "ERROR",
>>>>>> "uuid":
"c2f3ec1d-494b-4f6a-b6e3-0e38108f2005",
>>>>>> "when": "20210528150818Z",
>>>>>> "duration": "30.348789",
>>>>>> "kw": {
>>>>>> "status": "ERROR: pki-tomcat :
Internal error testing CA
>>>>>> clone. Host: iparep3.ghs.nl <
http://iparep3.ghs.nl>
Port: 443"
>>>>>> }
>>>>>> }
>>>>>> ]
>>>>>>
>>>>>> First, it is asking for a password, and I have no clue for
what. I've
>>>>>> tried the admin password and the Directory Manager password.
It
>>>>>> makes no difference.
>>>>>>
>>>>>> Second, it tries to connect to a replica that was removed
several
>>>>>> months
>>>>>> ago. Both ipa-replica-manage list and ipa-csreplica-manage
show the
>>>>>> correct list of masters that we currently have.
>>>>>>
>>>>>> Where does ipa-healthcheck get the information from to query
the
>>>>>> removed
>>>>>> replica?
>>>>>>
>>>>>> BTW. Two replica run CentOS 8 Stream, and one runs CentOS 7.
The
>>>>>> first two give
>>>>>> this healthcheck error, the centos7 master does not.
>>>>> That last remark should be: on CentOS 7 there was no such
check. So,
>>>>> perhaps
>>>>> the error is there too.
>>>>>
>>>>> # /usr/bin/ipa-healthcheck --source
>>>>> pki.server.healthcheck.clones.connectivity_and_data
>>>>> Source
'pki.server.healthcheck.clones.connectivity_and_data'
not found
>>>> The problem seems to be that PKI has its own information about
>>>> masters (and clones). In our PKI configuration there are still
two hosts
>>>> that were deleted from FreeIPA a long time ago. So, the
>>>> ipa-replica-manage del
>>>> command did not remove them from PKI??
>>> CA replica management is done with 'ipa-csreplica-manage' tool,
not
>>> 'ipa-replica-manage'.
>>>
>>>
>> But I did use "ipa-csreplica-manage del" as well. However, I
remember
>> that it
>> complained it couldn't remove that host. I was assuming it was
already
>> gone.
>> When I list with ipa-csreplica-manage then I don't see the old hosts
>> anymore.
>>
>> So, two things
>> 1) "ipa-csreplica-manage del" somehow failed (it's probably
too
late to
>> look at logs)
>> 2) how can I still remove the old hosts?
> I'm not sure how to remove hosts from the CA-managed security
domain but
> you can show the hosts it knows about with pki securitydomain-show to
> confirm that this is where it is finding the old one.
>
> This check is provided by dogtag and executed within ipa-healthcheck.
> Can you open a ticket on it at
https://github.com/dogtagpki/pki/
>
> rob
>
https://github.com/dogtagpki/pki/issues/3552
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure