Please clarify which of the posted healthcheck output you are concerned with.

Only the first one appears to be related:

  {
    "source": "pki.server.healthcheck.clones.connectivity_and_data",
    "check": "ClonesConnectivyAndDataCheck",
    "result": "ERROR",
    "uuid": "72ad2788-e0b7-4f5e-9eeb-*******",
    "when": "20210707180422Z",
    "duration": "37.131043",
    "kw": {
      "status": "ERROR:  pki-tomcat : Internal error testing CA clone. Host: test1.example.com Port: 443"
    }
  },

How does this not already provide information that a host is not fully removed?

Summary about the case

1. Command ran: ipa-healthcheck --debug --failures-only

2. DNS entry of the failed server is removed

3. ipa-healthcheck returns Internal server error HTTPSConnectionPool(host='removed.example.com', port=443): Max retries exceeded with url: /ca/rest/certs/search?size=3 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f4097949e48>: Failed to establish a new connection: [Errno -2] Name or service not known',))

4. Customer ask:  If a server is removed, but for some reason it didn't remove all the pieces from IDM, then ipa-healthcheck should actually be reporting on that, instead of just failing because the method it used to determine the server list, and the one it picked, didn't remove properly.  


Well, I would say, ipa-healthcheck generally right. It mentioned that it failed to eastablish a new connection because it is unable to find the name (from DNS).

It also does not showing the working servers and services because **--failures-only**