Bug 1302127

PKI #1704 fixes the problem, To reproduce the issue you need a version of PKI without the fix and a recent version of mod_nss (mod_nss >= 1.0.12 on Fedora 23).

1) Install FreeIPA with CA:

# ipa-server-install

2) Get LDAPI URI from FreeIPA's config file and retrieve KRA list from LDAP:

# export LDAP_URI=$(grep ^ldap_uri /etc/ipa/default.conf | awk -F= '{print $2}')
# echo $LDAP_URI 
ldapi://%2fvar%2frun%2fslapd-IPA-EXAMPLE.socket

# ldapsearch -LLL -Q -H $LDAP_URI -b "cn=KRAList,ou=Security Domain,o=ipaca" "(objectClass=top)" dn SubsystemName
dn: cn=KRAList,ou=Security Domain,o=ipaca

Your LDAPI uri may look differently. Please note that ldapsearch only returns one DN.

3) Install KRA:

# ipa-kra-install

4) Verify installation:

# ldapsearch -LLL -Q -H $LDAP_URI -b "cn=KRAList,ou=Security Domain,o=ipaca" "(objectClass=top)" dn SubsystemName
dn: cn=KRAList,ou=Security Domain,o=ipaca

dn: cn=vm-058-084.abc.idm.lab.eng.brq.redhat.com:443,cn=KRAList,ou=Security Do
 main,o=ipaca
SubsystemName: KRA vm-058-084.abc.idm.lab.eng.brq.redhat.com 8443

Now ldapsearch returns two DNs. The second DN is the KRA instance you have just installed.

5) Uninstall KRA:

# ipa-kra-install --uninstall

6) Verify uninstallation:

# ldapsearch -LLL -Q -H $LDAP_URI -b "cn=KRAList,ou=Security Domain,o=ipaca" "(objectClass=top)" dn SubsystemName
dn: cn=KRAList,ou=Security Domain,o=ipaca

On a system with a fixed sslget command, you will get just one DN. A broken system will still show two DNs like in 4).

7) Check unstallation log for errors:

# less /var/log/pki/pki-kra-destroy.CURRENT_DATE_AND_TIME.log

Look for 'sslget'. The output of 'sslget' should contain "HTTP/1.1 200 OK" and the line 

<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status></XMLResponse>

followed by

updateDomainXML SUCCESSFULLY deleted this 'KRA' entry from security domain 'IPA'

On a broken system you should see entries similar to https://fedorahosted.org/pki/ticket/1704#comment:4.

8) Try to install KRA again:

# ipa-kra-install

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

FYI, I ran a quick check with ipa-kra-install --uninstall and it looks good:

[root@replica ~]# ipa-kra-install --uninstall 
Configuring certmonger to stop tracking system certificates for KRA
Unconfiguring KRA
The ipa-kra-install command was successful

[root@replica ~]# ldapsearch -LLL -Q -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket -b "cn=KRAList,ou=Security Domain,o=ipaca" "(objectClass=top)" dn SubsystemName
dn: cn=KRAList,ou=Security Domain,o=ipaca

[root@replica ~]# 

[root@master ~]# ldapsearch -LLL -Q -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket -b "cn=KRAList,ou=Security Domain,o=ipaca" "(objectClass=top)" dn SubsystemName
dn: cn=KRAList,ou=Security Domain,o=ipaca

[root@master ~]#

[root@auto-hv-02-guest05 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.3.3
Release     : 8.el7
Architecture: noarch
Install Date: Sun 04 Sep 2016 05:27:32 PM EDT
Group       : System Environment/Daemons
Size        : 2430595
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.3.3-8.el7.src.rpm
Build Date  : Tue 30 Aug 2016 03:23:27 PM EDT
Build Host  : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Executed the steps in comment 3 successfully.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html