Bug 1985069

Summary:	Cannot remove First master server with KRA after the server hard disk failed ( destructed)
Product:	Red Hat Enterprise Linux 8	Reporter:	Rob Crittenden <rcritten>
Component:	ipa	Assignee:	Rob Crittenden <rcritten>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.4	CC:	frenaud, rcritten, rjeffman, ssidhaye, sumenon, tscherf
Target Milestone:	beta	Keywords:	TestCaseProvided, Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.9.8-2.module+el8.6.0+13621+937b8cd9	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1985072 (view as bug list)		Environment:
Last Closed:	2022-05-10 14:08:44 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1985072

Description Rob Crittenden 2021-07-22 18:41:08 UTC

This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8397

### Request for enhancement
As admin , I want remove the first master server with KRA installed to complete the fail over the new master.

### Issue
Recently, Hard disk drive on the first master failed ( not recoverable), I was able to switch CA renewal to a new replica master server. And while trying to remove the old master from replication topology i encounter the following error

root@tobor-new:280 # ipa-replica-manage del first-master.sample.com -v --force
ipa: WARNING: Lookup failed: Preferred host new-master.sample.com does not provide KRA.
ipa: INFO: Starting new HTTPS connection (1): first-master.sample.com
ipa: INFO: Starting new HTTPS connection (2): first-master.sample.com
('Connection aborted.', error(111, 'Connection refused'))

This error render me from removing first-master.sample.com and also causing new replication to fail trying Search DNS from first-master.sample.com dns server .

is anyone aware of this issue?

#### Steps to Reproduce
1. Installed IPA server with KRA on first master
2. Create a replica of the First master instance
3. Poweroff first master.
4. Promote replica master to CA renewal and cert generation.
5. Try to remove first master

#### Actual behavior
Error trying to remove first master.
root@new-master:381 # ipa server-del first-master.sample.com --ignore-last-of-role --force
Removing first-master.sample.com from replication topology, please wait...
ipa: ERROR: an internal error has occurred

root@first-master:280 # ipa-replica-manage del first-master.sample.com -v --force
ipa: WARNING: Lookup failed: Preferred host new-master.sample.com does not provide KRA.
ipa: INFO: Starting new HTTPS connection (1): first-master.sample.com
ipa: INFO: Starting new HTTPS connection (2): first-master.sample.com
('Connection aborted.', error(111, 'Connection refused'))

#### Expected behavior
(what do you expect to happen)

#### Version/Release/Distribution
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

#### Additional info:
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.6-11.el7.centos.x86_64
ipa-client-4.6.6-11.el7.centos.x86_64
389-ds-base-1.3.10.1-5.el7.x86_64
pki-ca-10.5.17-6.el7.noarch
krb5-server-1.15.1-46.el7.x86_64

DOmain level
-----------------------
Current domain level: 1
-----------------------

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting

Comment 1 Rob Crittenden 2021-07-22 18:45:11 UTC

Upstream PR https://github.com/freeipa/freeipa/pull/5908

Comment 2 Rob Crittenden 2021-07-22 18:47:30 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/10bd66dd1a14fc0bd39c489d0d0af76b0f720c96
https://pagure.io/freeipa/c/2097776e5e5d699575d0dc0e7006b5e50fbc6f9e

Comment 3 Rob Crittenden 2021-07-22 22:21:08 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/0b9adf1d8d5efb48e734650e4101e8816b01e1d3
https://pagure.io/freeipa/c/8ea8f8b68b5a7217518f68065a5fc1df16126314

Comment 4 Rob Crittenden 2021-11-22 19:39:58 UTC

Additional change

Fixed upstream
master:
https://pagure.io/freeipa/c/3bcbc869f6e1cce441294b98d4fa3688f5917042

Comment 5 Florence Blanc-Renaud 2021-11-23 09:24:52 UTC

Additional change
ipa-4-9:
https://pagure.io/freeipa/c/1c66226e83bb8797122d3925b555516201edb8bd

Comment 14 errata-xmlrpc 2022-05-10 14:08:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884