Bug 1328549

Summary: "ipa-kra-install" command reports incorrect message when it is executed on server already installed with KRA.
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-0.el7.1.alpha1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:53:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikhil Dehadrai 2016-04-19 15:54:22 UTC 
Description of problem:
"ipa-kra-install" command reports incorrect message when it is executed on server already installed with KRA.

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.15.x86_64
pki-server-10.2.5-6.el7.noarch
pki-kra-10.2.5-6.el7.noarch


How reproducible:
Always

Steps to Reproduce:
1. Setup IPA server with 7.2 up4 (ipa-server-4.2.0-15.el7_2.15.x86_64)
2. Use command to install ipa server: 
#ipa-server-install --ip-address <IP addr> -r <realm> -p <directory manager password> -a <admin password> --forwarder <ip address> -U --setup-dns
3. Now install KRA
# ipa-kra-install -p <password> -U
4. Now again try to insta KRA:
# ipa-kra-install -p <password> -U

Actual results:
1. After step4, KRA is installed successfully.
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful
2. After step4, Following message is received:
Usage: ipa-kra-install [options] [replica_file]
ipa-kra-install: error: A replica file is required.


Expected results:
A proper error message suggesting KRA is already installed should be displayed.

Additional info:
When KRA is uninstalled, this behavior is not observed.
# ipa-kra-install -p <password> --uninstall
Configuring certmonger to stop tracking system certificates for KRA
Unconfiguring KRA
The ipa-kra-install command was successful
# ipa-kra-install -p <password> --uninstall
Usage: ipa-kra-install [options] [replica_file]
ipa-kra-install: error: Cannot uninstall.  There is no KRA installed on this system.
Comment 2 Petr Vobornik 2016-04-28 13:15:29 UTC 
Fixed upstream. Not sure in what ticket, could be one of:

https://fedorahosted.org/freeipa/ticket/3872
https://fedorahosted.org/freeipa/ticket/4468
https://fedorahosted.org/freeipa/ticket/5197

alich: tested on F23, the issue has been fixed - test PASSED

4.3.90.201604181305GIT2a20c74, API_VERSION: 2.164
pki-server-10.2.6-14.fc23.noarch
pki-kra-10.2.6-14.fc23.noarch
Comment 4 Nikhil Dehadrai 2016-09-13 10:26:47 UTC 
IPA -server version: ipa-server-4.4.0-11.el7.x86_64

Verified the bug on the basis of below points:
1. Verified that ipa-kra-install -p <password> -U is successfully installed on latest version of ipa-server.
2. Verified that when the same command (ipa-kra-install -p <password> -U) is re-run, following valid message is displayed:

# ipa-kra-install -p Secret123 -U
KRA already installed
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

3. Also proper logs are captured within /var/log/ipaserver-kra-install.log:
# tail -f /var/log/ipaserver-kra-install.log
2016-09-13T10:20:43Z DEBUG IPA version 4.4.0-11.el7
2016-09-13T10:20:43Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2016-09-13T10:20:43Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 164, in run
    raise admintool.ScriptError("KRA already installed")

2016-09-13T10:20:43Z DEBUG The ipa-kra-install command failed, exception: ScriptError: KRA already installed
2016-09-13T10:20:43Z ERROR KRA already installed
2016-09-13T10:20:43Z ERROR The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information

4. Also correct behavior is observed when ipa-kra-install -p <password> -U --uninstall' is run:
# ipa-kra-install -p Secret123 -U --uninstall
Configuring certmonger to stop tracking system certificates for KRA
Unconfiguring KRA
The ipa-kra-install command was successful

# ipa-kra-install -p Secret123 -U --uninstall
Usage: ipa-kra-install [options] [replica_file]

ipa-kra-install: error: Cannot uninstall.  There is no KRA installed on this system.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-uninstall.log for more information

Thus on the basis of above observations marking status of bug to "VERIFIED".
Comment 6 errata-xmlrpc 2016-11-04 05:53:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html