@Florence Blanc-Renaud
I did not know about the freeipa-healthcheck tool. This is nice to have thanks!
I've installed it on both my good machines which are running Fedora 40. I
thought it was worth looking at the health of them as in my mind these are
known goods with no issues that I know of. But the health check is showing some
issues:
- Complaining about invalid IP address which is IPv6. My network is using IPv4.
My guess would be that this error can be ignored?
- Complaining about not being able to reach machine B
(dc-b-prod-it.internal.example.com) on port 443. I am able to reach the web UI
of this machine using https on port 443 so not sure why this error is coming
up. This is possibly related to the Fedora upgrade issue I was having?
- Various warnings about configuration attributes that are not applicable for
the backend. My guess would be that these can be ignored?
- Error about replication not being in sync. It mentions the following hostname
catosg-it-prod-dc-a-euw2az1.internal.example.com. Maybe this is a display issue
but the real hostname is sg-it-prod-dc-a-euw2az1.internal.example.com i.e.
without the cato in front. This feels like an issue that needs fixing. Not sure
why they would not be in sync.
- Various warnings about URI records being missing. My servers are in AWS and I
use Route 53 as the DNS. There is no option to add RUI records in AWS Route 53.
My guess would be that these can be ignored?
I could not see a way to attach a file in this forum so I'm pasting below the
output of running sudo ipa-healthcheck on machine B. Running it on A gives the
same output.
Invalid IP address fe80::4dc:36ff:fe4e:d1c5 for
sg-it-prod-dc-b-euw2az2.internal.example.com.: cannot use link-local IP address
fe80::4dc:36ff:fe4e:d1c5
Internal server error
HTTPSConnectionPool(host='dc-b-prod-it.internal.example.com', port=443): Max
retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by
NewConnectionError('<urllib3.connection.HTTPSConnection object at
0x7f054c368050>: Failed to establish a new connection: [Errno -2] Name or
service not known'))
[
{
"source": "ipahealthcheck.ds.backends",
"check": "BackendsCheck",
"result": "WARNING",
"uuid": "10a46762-ba2a-4be0-8a83-e6b14a34db19",
"when": "20250423071410Z",
"duration": "0.080989",
"kw": {
"key": "DSBLE0005",
"items": [
"nsslapd-dbcachesize",
"nsslapd-db-logdirectory",
"nsslapd-db-transaction-wait",
"nsslapd-db-checkpoint-interval",
"nsslapd-db-compactdb-interval",
"nsslapd-db-compactdb-time",
"nsslapd-db-transaction-batch-val",
"nsslapd-db-transaction-batch-min-wait",
"nsslapd-db-transaction-batch-max-wait",
"nsslapd-db-logbuf-size",
"nsslapd-db-page-size",
"nsslapd-db-locks",
"nsslapd-db-locks-monitoring-enabled",
"nsslapd-db-locks-monitoring-threshold",
"nsslapd-db-locks-monitoring-pause",
"nsslapd-db-private-import-mem",
"nsslapd-db-deadlock-policy"
],
"msg": "Found configuration attributes that are not applicable for the
configured backend type."
}
},
{
"source": "ipahealthcheck.ds.backends",
"check": "BackendsCheck",
"result": "WARNING",
"uuid": "aaf8c06e-3e3c-4185-843c-bb5be435416e",
"when": "20250423071410Z",
"duration": "0.081003",
"kw": {
"key": "DSBLE0005",
"items": [
"nsslapd-dbcachesize",
"nsslapd-db-logdirectory",
"nsslapd-db-transaction-wait",
"nsslapd-db-checkpoint-interval",
"nsslapd-db-compactdb-interval",
"nsslapd-db-compactdb-time",
"nsslapd-db-transaction-batch-val",
"nsslapd-db-transaction-batch-min-wait",
"nsslapd-db-transaction-batch-max-wait",
"nsslapd-db-logbuf-size",
"nsslapd-db-page-size",
"nsslapd-db-locks",
"nsslapd-db-locks-monitoring-enabled",
"nsslapd-db-locks-monitoring-threshold",
"nsslapd-db-locks-monitoring-pause",
"nsslapd-db-private-import-mem",
"nsslapd-db-deadlock-policy"
],
"msg": "Found configuration attributes that are not applicable for the
configured backend type."
}
},
{
"source": "ipahealthcheck.ds.backends",
"check": "BackendsCheck",
"result": "WARNING",
"uuid": "17175c1a-12c2-4890-9725-5988022cf414",
"when": "20250423071410Z",
"duration": "0.081005",
"kw": {
"key": "DSBLE0005",
"items": [
"nsslapd-dbcachesize",
"nsslapd-db-logdirectory",
"nsslapd-db-transaction-wait",
"nsslapd-db-checkpoint-interval",
"nsslapd-db-compactdb-interval",
"nsslapd-db-compactdb-time",
"nsslapd-db-transaction-batch-val",
"nsslapd-db-transaction-batch-min-wait",
"nsslapd-db-transaction-batch-max-wait",
"nsslapd-db-logbuf-size",
"nsslapd-db-page-size",
"nsslapd-db-locks",
"nsslapd-db-locks-monitoring-enabled",
"nsslapd-db-locks-monitoring-threshold",
"nsslapd-db-locks-monitoring-pause",
"nsslapd-db-private-import-mem",
"nsslapd-db-deadlock-policy"
],
"msg": "Found configuration attributes that are not applicable for the
configured backend type."
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "9c0b870b-688a-4468-afcd-f18f06650e41",
"when": "20250423071414Z",
"duration": "1.213910",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement
(catosg-it-prod-dc-a-euw2az1.internal.example.com) under \"o=ipaca\" is not in
synchronization.\nStatus message: error (18) can't acquire replica (incremental
update transient warning. backing off, will retry update later.)"
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "09ee1304-633c-48b3-841e-b2c3c431b2ba",
"when": "20250423071418Z",
"duration": "0.036548",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.internal.example.com.:krb5srv:m:tcp:sg-it-prod-dc-a-euw2az1.internal.example.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "85a84e2a-ed3f-4238-ab8d-10762d81b362",
"when": "20250423071418Z",
"duration": "0.036573",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.internal.example.com.:krb5srv:m:udp:sg-it-prod-dc-a-euw2az1.internal.example.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "87f324e1-ad3c-4284-a53e-2081e9082d7e",
"when": "20250423071418Z",
"duration": "0.036588",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.internal.example.com.:krb5srv:m:tcp:sg-it-prod-dc-b-euw2az2.internal.example.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "9753a6c1-8d23-472d-a02b-a2a7608aaccf",
"when": "20250423071418Z",
"duration": "0.036601",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kerberos.internal.example.com.:krb5srv:m:udp:sg-it-prod-dc-b-euw2az2.internal.example.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "9509d091-c3cb-4ea3-98b2-eca366a6d13b",
"when": "20250423071418Z",
"duration": "0.042577",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kpasswd.internal.example.com.:krb5srv:m:tcp:sg-it-prod-dc-a-euw2az1.internal.example.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "56cb7ac2-1849-4706-b244-328b47f69d27",
"when": "20250423071418Z",
"duration": "0.042601",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kpasswd.internal.example.com.:krb5srv:m:udp:sg-it-prod-dc-a-euw2az1.internal.example.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "c58fd746-a426-48f7-b832-700db19602ba",
"when": "20250423071418Z",
"duration": "0.042615",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kpasswd.internal.example.com.:krb5srv:m:tcp:sg-it-prod-dc-b-euw2az2.internal.example.com."
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "c8f5c339-a4fb-4350-b02c-3906af5753cb",
"when": "20250423071418Z",
"duration": "0.042628",
"kw": {
"msg": "Expected URI record missing",
"key":
"_kpasswd.internal.example.com.:krb5srv:m:udp:sg-it-prod-dc-b-euw2az2.internal.example.com."
}
},
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "4d7ec689-fed8-42f2-ba8f-9e3163f69d70",
"when": "20250423071425Z",
"duration": "0.127883",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone. Host:
dc-b-prod-it.internal.example.com Port: 443"
}
}
]
I've not tried the apache thing you suggested yet. It feels like just from the
health check alone there are things that need to be addressed. Any suggestions
on where to start? I'm surprised there are so many warnings and errors for a
system which I consider to be working. Happy to try other things including the
apache logs etc. I just didnt want to make this post even longer than it
already is.
Thanks
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
