08.01.2025 Problem:
The client, a company using FreeIPA for identity management, encountered issues when running the
ipa-healthcheck command. The system was returning errors related to non-existent servers,
which had been decommissioned as part of a recent infrastructure migration. These errors were causing the ipa-healthcheck command to fail and reported old servers that no longer existed in the environment.
Process:
The client faced the issues when the ipa-healthcheck command was flagging errors related to
non-existent servers (oldsrv3.my.domain.co.il and oldsrv8.my.domain.co.il).
Despite the migration, the old servers were still being referenced in the system, which caused health checks to fail. The client needed to remove references to these old servers and ensure the system was properly cleaned up to avoid any further errors. Upon receiving the client’s request, the expert followed a structured approach to resolve the issue.
Step 1: Assessing the Replication and Server List
The expert started by checking the list of FreeIPA replicas to verify which servers were still part of the
replication configuration. Using the command ipa-replica-manage list, it was confirmed that only
the active servers were listed, and the old servers were not part of the current replication.
Step 2: Removing Old Server References
The expert identified that the old servers were still referenced within the FreeIPA configuration. To clean this up, the following commands were issued to remove the obsolete servers from the replication configuration:
ipa-replica-manage del oldsrv3.my.domain.co.ilipa-replica-manage del oldsrv8.my.domain.co.il
Step 3: Checking Certificates and Repositories
The expert performed checks to ensure that any certificates associated with the old servers had been removed.
The following commands were used to search for certificates tied to the non-existent servers:
ipa cert-find --host oldsrv3.my.domain.co.ilipa cert-find --host oldsrv8.my.domain.co.il
No certificates were found, indicating that the server entries had been properly cleaned.
Step 4: Removing Host Entries and DNS Records
The expert proceeded to check if any host records for the old servers remained in FreeIPA. Using:
ipa host-del oldsrv3.my.domain.co.ilipa host-del oldsrv8.my.domain.co.il
These actions confirmed that the hosts had been deleted. The expert also checked the DNS records to ensure no leftover entries for the old servers existed by running the commands ipa dnsrecord-find domain.co.il --name=oldsrv3 and ipa dnsrecord-find domain.co.il --name=oldsrv8. The DNS records for the old servers were not found.
Step 5: Investigating PKI and LDAP Records
To ensure there were no residual records in the Public Key Infrastructure (PKI) and LDAP, the expert searched for any lingering entries related to the decommissioned servers. The following commands were executed to locate old files:
find / -name "ca-agent.p12"find / -name "*.p12"
After identifying and removing outdated files, the expert checked the LDAP for replication conflicts:
ldapsearch -LLL -H ldaps://$(hostname) -W -D 'cn=Directory Manager' -b 'o=ipaca' '(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))'
Any conflicts found were removed to ensure that no traces of the old servers remained in the LDAP records.
Step 6: Verifying the System Health
After performing all cleanup tasks, the expert re-ran the ipa-healthcheck command. No errors were
reported, and the health check passed successfully, indicating that the system was now free from references to non-existent servers.
Solution:
After executing the steps outlined above, the issue with the ipa-healthcheck errors related to
non-existent servers was successfully resolved. The FreeIPA environment was cleaned of any obsolete server references, and the system passed the health checks without further errors.
The client was pleased with the solution as the system was now operating without interruptions, and they no longer received errors about non-existent servers during the health check process.
Conclusion:
This case demonstrates the importance of proper cleanup and configuration management after a server migration. By systematically removing old server references from the FreeIPA configuration, clearing certificates, DNS records, and checking LDAP entries, the expert was able to ensure a smooth transition and maintain the health of the FreeIPA system.