hi all,
our ipa-healthcheck gives some seemingly odd output:
> Internal server error HTTPSConnectionPool(host='oldm2.domain', port=443): Max
> retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by
> NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
> 0x7f32581cb748>: Failed to establish a new connection: [Errno -2] Name or
> service not known',))
> [
> {
> "source": "pki.server.healthcheck.clones.connectivity_and_data",
> "check": "ClonesConnectivyAndDataCheck",
> "result": "ERROR",
> "uuid": "c7694559-157f-42da-9722-29ab4308d8bc",
> "when": "20210601115956Z",
> "duration": "0.424097",
> "kw": {
> "status": "ERROR: pki-tomcat : Internal error testing CA clone. Host:
> oldm2.domain Port: 443"
> }
> },
googling the error itself, i find references to this being a false
positive; but looking closer (and also the initial server error) give an
actual error: they reference an old master (it's obviously not called
oldm2, so i had to read it a few times to see it was actually this old
host).
a while ago we migrated our centos7 setup (oldm1 and oldm2) to rhel82
(newm3 and newm4), by following the migration guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating
i'm quite sure we followed all steps, including the final uninstall on
oldm1 and oldm2.
however, after starting to run ipa-healthcheck recently and seeing this
error, we looked for other traces of the old servers and started to
clean them up. the old hosts are no longer around, so no chance to rerun
things or check logs.
so far we removed a bunch of DNS entries where the oldm1 was still used,
but we now also have some other ones that reference oldm2: e.g. the pki
related error above, but also oldm2 is still referenced in some entries
in our dirserv dse.ldif (2 nsslapd-referral, 3 nsds50ruv and 3
nsruvReplicaLastModified). the traces are only of oldm2, not sign of
oldm1 there.
i'd appreciate some tips/guidance for removing the pki reference to
oldm2 and things we can do to cleanup the dse.ldif
many many thanks,
stijn
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
