Kathy Zhu via FreeIPA-users wrote: > Hi Team, > > > We are migrating from Centos 7 IPA to Red Hat 8.6. After adding the > first Red Hat master, it reported error: > > > # ipa-healthcheck > --source=pki.server.healthcheck.clones.connectivity_and_data > > Internal server error HTTPSConnectionPool(host='ipa4.example.com > <http://ipa4.example.com>', port=443): Max retries exceeded with url: > /ca/rest/certs/search?size=3 (Caused by > NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object > at 0x7f0611b6d5c0>: Failed to establish a new connection: [Errno -2] > Name or service not known',)) > > [ > > { > > "source": "pki.server.healthcheck.clones.connectivity_and_data", > > "check": "ClonesConnectivyAndDataCheck", > > "result": "ERROR", > > "uuid": "bfb9aeac-2e86-4d1d-ac2a-3cb62300527e", > > "when": "20220711221016Z", > > "duration": "0.768881", > > "kw": { > > "status": "ERROR: pki-tomcat : Internal error testing CA clone. > Host: ipa4.example.com <http://ipa4.example.com> Port: 443" > > } > > } > > ] > > # > > > ipa4 was a master we had years ago. it did not show up as a dangling > master in the domain. However, it remains in pki DB. How to safely clean > it out from pki DB?
IPA wasn't cleaning up the security domain on server removal until relatively recently. You can find the list of servers with: # pki securitydomain-host-find You can remove one with with: # pki -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' -C /etc/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del 'CA ipa.example.test 443' Be very careful as you can remove valid ones just as easily. > Another interesting fact I like to point out - Centos 7 ipa-healthcheck > does not report this. The epel-7 build of ipa-healthcheck I did was a one-off. The differences were just too great to keep it in sync. It's an incentive to upgrade to RHEL 8 (or 9). rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
