Hi, On Wed, Apr 23, 2025 at 10:14 AM tipex tipex via FreeIPA-users < [email protected]> wrote:
> @Florence Blanc-Renaud > > I did not know about the freeipa-healthcheck tool. This is nice to have > thanks! > I've installed it on both my good machines which are running Fedora 40. I > thought it was worth looking at the health of them as in my mind these are > known goods with no issues that I know of. But the health check is showing > some issues: > - Complaining about invalid IP address which is IPv6. My network is using > IPv4. My guess would be that this error can be ignored? > Yes, you can ignore that one about link-local IP address. - Complaining about not being able to reach machine B ( > dc-b-prod-it.internal.example.com) on port 443. I am able to reach the > web UI of this machine using https on port 443 so not sure why this error > is coming up. This is possibly related to the Fedora upgrade issue I was > having? > The check is using the reset endpoint /ca/admin/ca/getStatus IIRC. The webui may be accessible but this specific endpoint failing. - Various warnings about configuration attributes that are not applicable > for the backend. My guess would be that these can be ignored? > - Error about replication not being in sync. It mentions the following > hostname catosg-it-prod-dc-a-euw2az1.internal.example.com. Maybe this is > a display issue but the real hostname is > sg-it-prod-dc-a-euw2az1.internal.example.com i.e. without the cato in > front. This feels like an issue that needs fixing. Not sure why they would > not be in sync. > The replication agreement name can be read as "CA to sg-it-..." (Certificate Authority to sg-it...). It allows to distinguish the replication of the domain suffix and the replication of o=ipaca suffix. - Various warnings about URI records being missing. My servers are in AWS > and I use Route 53 as the DNS. There is no option to add RUI records in AWS > Route 53. My guess would be that these can be ignored? > Correct DNS records are pre-requisites, please see https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs but the URI records only raise warnings, not errors. > > > I could not see a way to attach a file in this forum so I'm pasting below > the output of running sudo ipa-healthcheck on machine B. Running it on A > gives the same output. > > > > Invalid IP address fe80::4dc:36ff:fe4e:d1c5 for > sg-it-prod-dc-b-euw2az2.internal.example.com.: cannot use link-local IP > address fe80::4dc:36ff:fe4e:d1c5 > Internal server error HTTPSConnectionPool(host=' > dc-b-prod-it.internal.example.com', port=443): Max retries exceeded with > url: /ca/rest/certs/search?size=3 (Caused by > NewConnectionError('<urllib3.connection.HTTPSConnection object at > 0x7f054c368050>: Failed to establish a new connection: [Errno -2] Name or > service not known')) > [ > { > "source": "ipahealthcheck.ds.backends", > "check": "BackendsCheck", > "result": "WARNING", > "uuid": "10a46762-ba2a-4be0-8a83-e6b14a34db19", > "when": "20250423071410Z", > "duration": "0.080989", > "kw": { > "key": "DSBLE0005", > "items": [ > "nsslapd-dbcachesize", > "nsslapd-db-logdirectory", > "nsslapd-db-transaction-wait", > "nsslapd-db-checkpoint-interval", > "nsslapd-db-compactdb-interval", > "nsslapd-db-compactdb-time", > "nsslapd-db-transaction-batch-val", > "nsslapd-db-transaction-batch-min-wait", > "nsslapd-db-transaction-batch-max-wait", > "nsslapd-db-logbuf-size", > "nsslapd-db-page-size", > "nsslapd-db-locks", > "nsslapd-db-locks-monitoring-enabled", > "nsslapd-db-locks-monitoring-threshold", > "nsslapd-db-locks-monitoring-pause", > "nsslapd-db-private-import-mem", > "nsslapd-db-deadlock-policy" > ], > "msg": "Found configuration attributes that are not applicable for > the configured backend type." > } > }, > { > "source": "ipahealthcheck.ds.backends", > "check": "BackendsCheck", > "result": "WARNING", > "uuid": "aaf8c06e-3e3c-4185-843c-bb5be435416e", > "when": "20250423071410Z", > "duration": "0.081003", > "kw": { > "key": "DSBLE0005", > "items": [ > "nsslapd-dbcachesize", > "nsslapd-db-logdirectory", > "nsslapd-db-transaction-wait", > "nsslapd-db-checkpoint-interval", > "nsslapd-db-compactdb-interval", > "nsslapd-db-compactdb-time", > "nsslapd-db-transaction-batch-val", > "nsslapd-db-transaction-batch-min-wait", > "nsslapd-db-transaction-batch-max-wait", > "nsslapd-db-logbuf-size", > "nsslapd-db-page-size", > "nsslapd-db-locks", > "nsslapd-db-locks-monitoring-enabled", > "nsslapd-db-locks-monitoring-threshold", > "nsslapd-db-locks-monitoring-pause", > "nsslapd-db-private-import-mem", > "nsslapd-db-deadlock-policy" > ], > "msg": "Found configuration attributes that are not applicable for > the configured backend type." > } > }, > { > "source": "ipahealthcheck.ds.backends", > "check": "BackendsCheck", > "result": "WARNING", > "uuid": "17175c1a-12c2-4890-9725-5988022cf414", > "when": "20250423071410Z", > "duration": "0.081005", > "kw": { > "key": "DSBLE0005", > "items": [ > "nsslapd-dbcachesize", > "nsslapd-db-logdirectory", > "nsslapd-db-transaction-wait", > "nsslapd-db-checkpoint-interval", > "nsslapd-db-compactdb-interval", > "nsslapd-db-compactdb-time", > "nsslapd-db-transaction-batch-val", > "nsslapd-db-transaction-batch-min-wait", > "nsslapd-db-transaction-batch-max-wait", > "nsslapd-db-logbuf-size", > "nsslapd-db-page-size", > "nsslapd-db-locks", > "nsslapd-db-locks-monitoring-enabled", > "nsslapd-db-locks-monitoring-threshold", > "nsslapd-db-locks-monitoring-pause", > "nsslapd-db-private-import-mem", > "nsslapd-db-deadlock-policy" > ], > "msg": "Found configuration attributes that are not applicable for > the configured backend type." > } > }, > { > "source": "ipahealthcheck.ds.replication", > "check": "ReplicationCheck", > "result": "ERROR", > "uuid": "9c0b870b-688a-4468-afcd-f18f06650e41", > "when": "20250423071414Z", > "duration": "1.213910", > "kw": { > "key": "DSREPLLE0003", > "items": [ > "Replication", > "Agreement" > ], > "msg": "The replication agreement ( > catosg-it-prod-dc-a-euw2az1.internal.example.com) under \"o=ipaca\" is > not in synchronization.\nStatus message: error (18) can't acquire replica > (incremental update transient warning. backing off, will retry update > later.)" > } > }, > { > "source": "ipahealthcheck.ipa.idns", > "check": "IPADNSSystemRecordsCheck", > "result": "WARNING", > "uuid": "09ee1304-633c-48b3-841e-b2c3c431b2ba", > "when": "20250423071418Z", > "duration": "0.036548", > "kw": { > "msg": "Expected URI record missing", > "key": "_kerberos.internal.example.com.:krb5srv:m:tcp: > sg-it-prod-dc-a-euw2az1.internal.example.com." > } > }, > { > "source": "ipahealthcheck.ipa.idns", > "check": "IPADNSSystemRecordsCheck", > "result": "WARNING", > "uuid": "85a84e2a-ed3f-4238-ab8d-10762d81b362", > "when": "20250423071418Z", > "duration": "0.036573", > "kw": { > "msg": "Expected URI record missing", > "key": "_kerberos.internal.example.com.:krb5srv:m:udp: > sg-it-prod-dc-a-euw2az1.internal.example.com." > } > }, > { > "source": "ipahealthcheck.ipa.idns", > "check": "IPADNSSystemRecordsCheck", > "result": "WARNING", > "uuid": "87f324e1-ad3c-4284-a53e-2081e9082d7e", > "when": "20250423071418Z", > "duration": "0.036588", > "kw": { > "msg": "Expected URI record missing", > "key": "_kerberos.internal.example.com.:krb5srv:m:tcp: > sg-it-prod-dc-b-euw2az2.internal.example.com." > } > }, > { > "source": "ipahealthcheck.ipa.idns", > "check": "IPADNSSystemRecordsCheck", > "result": "WARNING", > "uuid": "9753a6c1-8d23-472d-a02b-a2a7608aaccf", > "when": "20250423071418Z", > "duration": "0.036601", > "kw": { > "msg": "Expected URI record missing", > "key": "_kerberos.internal.example.com.:krb5srv:m:udp: > sg-it-prod-dc-b-euw2az2.internal.example.com." > } > }, > { > "source": "ipahealthcheck.ipa.idns", > "check": "IPADNSSystemRecordsCheck", > "result": "WARNING", > "uuid": "9509d091-c3cb-4ea3-98b2-eca366a6d13b", > "when": "20250423071418Z", > "duration": "0.042577", > "kw": { > "msg": "Expected URI record missing", > "key": "_kpasswd.internal.example.com.:krb5srv:m:tcp: > sg-it-prod-dc-a-euw2az1.internal.example.com." > } > }, > { > "source": "ipahealthcheck.ipa.idns", > "check": "IPADNSSystemRecordsCheck", > "result": "WARNING", > "uuid": "56cb7ac2-1849-4706-b244-328b47f69d27", > "when": "20250423071418Z", > "duration": "0.042601", > "kw": { > "msg": "Expected URI record missing", > "key": "_kpasswd.internal.example.com.:krb5srv:m:udp: > sg-it-prod-dc-a-euw2az1.internal.example.com." > } > }, > { > "source": "ipahealthcheck.ipa.idns", > "check": "IPADNSSystemRecordsCheck", > "result": "WARNING", > "uuid": "c58fd746-a426-48f7-b832-700db19602ba", > "when": "20250423071418Z", > "duration": "0.042615", > "kw": { > "msg": "Expected URI record missing", > "key": "_kpasswd.internal.example.com.:krb5srv:m:tcp: > sg-it-prod-dc-b-euw2az2.internal.example.com." > } > }, > { > "source": "ipahealthcheck.ipa.idns", > "check": "IPADNSSystemRecordsCheck", > "result": "WARNING", > "uuid": "c8f5c339-a4fb-4350-b02c-3906af5753cb", > "when": "20250423071418Z", > "duration": "0.042628", > "kw": { > "msg": "Expected URI record missing", > "key": "_kpasswd.internal.example.com.:krb5srv:m:udp: > sg-it-prod-dc-b-euw2az2.internal.example.com." > } > }, > { > "source": "pki.server.healthcheck.clones.connectivity_and_data", > "check": "ClonesConnectivyAndDataCheck", > "result": "ERROR", > "uuid": "4d7ec689-fed8-42f2-ba8f-9e3163f69d70", > "when": "20250423071425Z", > "duration": "0.127883", > "kw": { > "status": "ERROR: pki-tomcat : Internal error testing CA clone. > Host: dc-b-prod-it.internal.example.com Port: 443" > } > } > ] > > > > I've not tried the apache thing you suggested yet. It feels like just from > the health check alone there are things that need to be addressed. Any > suggestions on where to start? I'm surprised there are so many warnings and > errors for a system which I consider to be working. Happy to try other > things including the apache logs etc. I just didnt want to make this post > even longer than it already is. > IMO the only area of concern is the ClonesConnectivityAnDataCheck error and it fits well with the apache configuration issue reported at https://bugzilla.redhat.com/show_bug.cgi?id=2350322 Try to follow the steps from comment 3. flo > > Thanks > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
