Hi, I'm not sure the issue is really on PKI side. On ipa server-del call, IPA should also make sure to call something similar to pki securitydomain-host-del to make sure that the host is removed from PKI security domain.
This was tracked in BZ 1740702 <https://bugzilla.redhat.com/show_bug.cgi?id=1740702> that was closed as Duplicate, but I believe this was a mistake (the other bug 1902173 <https://bugzilla.redhat.com/show_bug.cgi?id=1902173> was about not crashing if KRA unregistration failed). flo On Thu, Jun 3, 2021 at 12:16 PM Kees Bakker via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On 01-06-2021 18:01, Rob Crittenden wrote: > > Kees Bakker via FreeIPA-users wrote: > >> On 29-05-2021 10:21, Alexander Bokovoy wrote: > >>> On pe, 28 touko 2021, Kees Bakker via FreeIPA-users wrote: > >>>> On 28-05-2021 19:32, Kees Bakker via FreeIPA-users wrote: > >>>>> On 28-05-2021 17:22, Kees Bakker via FreeIPA-users wrote: > >>>>>> Hi, > >>>>>> > >>>>>> After installing a new replica and running > >>>>>> > >>>>>> /usr/bin/ipa-healthcheck --source > >>>>>> pki.server.healthcheck.clones.connectivity_and_data > >>>>>> > >>>>>> I'm getting this error > >>>>>> > >>>>>> keyctl_search: Required key not available > >>>>>> Enter password for Internal Key Storage Token: > >>>>>> Internal server error HTTPSConnectionPool(host='iparep3.ghs.nl', > >>>>>> port=443): Max retries exceeded with url: > >>>>>> /ca/rest/certs/search?size=3 (Caused by > >>>>>> NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection > >>>>>> object at 0x7fc473262a90>: Failed to establish a new connection: > >>>>>> [Errno 113] No route to host',)) > >>>>>> [ > >>>>>> { > >>>>>> "source": > "pki.server.healthcheck.clones.connectivity_and_data", > >>>>>> "check": "ClonesConnectivyAndDataCheck", > >>>>>> "result": "ERROR", > >>>>>> "uuid": "c2f3ec1d-494b-4f6a-b6e3-0e38108f2005", > >>>>>> "when": "20210528150818Z", > >>>>>> "duration": "30.348789", > >>>>>> "kw": { > >>>>>> "status": "ERROR: pki-tomcat : Internal error testing CA > >>>>>> clone. Host: iparep3.ghs.nl Port: 443" > >>>>>> } > >>>>>> } > >>>>>> ] > >>>>>> > >>>>>> First, it is asking for a password, and I have no clue for what. > I've > >>>>>> tried the admin password and the Directory Manager password. It > >>>>>> makes no difference. > >>>>>> > >>>>>> Second, it tries to connect to a replica that was removed several > >>>>>> months > >>>>>> ago. Both ipa-replica-manage list and ipa-csreplica-manage show the > >>>>>> correct list of masters that we currently have. > >>>>>> > >>>>>> Where does ipa-healthcheck get the information from to query the > >>>>>> removed > >>>>>> replica? > >>>>>> > >>>>>> BTW. Two replica run CentOS 8 Stream, and one runs CentOS 7. The > >>>>>> first two give > >>>>>> this healthcheck error, the centos7 master does not. > >>>>> That last remark should be: on CentOS 7 there was no such check. So, > >>>>> perhaps > >>>>> the error is there too. > >>>>> > >>>>> # /usr/bin/ipa-healthcheck --source > >>>>> pki.server.healthcheck.clones.connectivity_and_data > >>>>> Source 'pki.server.healthcheck.clones.connectivity_and_data' not > found > >>>> The problem seems to be that PKI has its own information about > >>>> masters (and clones). In our PKI configuration there are still two > hosts > >>>> that were deleted from FreeIPA a long time ago. So, the > >>>> ipa-replica-manage del > >>>> command did not remove them from PKI?? > >>> CA replica management is done with 'ipa-csreplica-manage' tool, not > >>> 'ipa-replica-manage'. > >>> > >>> > >> But I did use "ipa-csreplica-manage del" as well. However, I remember > >> that it > >> complained it couldn't remove that host. I was assuming it was already > >> gone. > >> When I list with ipa-csreplica-manage then I don't see the old hosts > >> anymore. > >> > >> So, two things > >> 1) "ipa-csreplica-manage del" somehow failed (it's probably too late to > >> look at logs) > >> 2) how can I still remove the old hosts? > > I'm not sure how to remove hosts from the CA-managed security domain but > > you can show the hosts it knows about with pki securitydomain-show to > > confirm that this is where it is finding the old one. > > > > This check is provided by dogtag and executed within ipa-healthcheck. > > Can you open a ticket on it at https://github.com/dogtagpki/pki/ > > > > rob > > > > https://github.com/dogtagpki/pki/issues/3552 > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
