Bug 1985072

Summary: Cannot remove First master server with KRA after the server hard disk failed ( destructed)
Product: Red Hat Enterprise Linux 9 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: frenaud, ipa-qe, ksiddiqu, rcritten, tscherf
Target Milestone: betaKeywords: TestCaseProvided, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.6-4.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1985069 Environment:
Last Closed: 2021-12-07 21:33:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1985069    
Bug Blocks:    

Description Rob Crittenden 2021-07-22 18:46:02 UTC 
+++ This bug was initially created as a clone of Bug #1985069 +++

This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8397

### Request for enhancement
As admin , I want remove the first master server with KRA installed to complete the fail over the new master.

### Issue
Recently, Hard disk drive on the first master failed ( not recoverable), I was able to switch  CA renewal to a new replica master server. And while trying to remove the old master from replication topology i encounter the following error 

 root@tobor-new:280 # ipa-replica-manage del first-master.sample.com -v --force
ipa: WARNING: Lookup failed: Preferred host new-master.sample.com does not provide KRA.
ipa: INFO: Starting new HTTPS connection (1): first-master.sample.com
ipa: INFO: Starting new HTTPS connection (2): first-master.sample.com
('Connection aborted.', error(111, 'Connection refused'))

This error render me from removing first-master.sample.com  and also causing new replication to fail trying Search DNS from first-master.sample.com dns server . 

is anyone aware of this issue?  



#### Steps to Reproduce
1. Installed IPA server with KRA on first master
2. Create a replica of the First master instance
3. Poweroff first master. 
4. Promote replica master to CA renewal and cert generation. 
5. Try to remove first master 

#### Actual behavior
Error trying to remove first master. 
root@new-master:381 # ipa server-del first-master.sample.com --ignore-last-of-role --force
Removing first-master.sample.com from replication topology, please wait...
ipa: ERROR: an internal error has occurred

 root@first-master:280 # ipa-replica-manage del first-master.sample.com -v --force
ipa: WARNING: Lookup failed: Preferred host new-master.sample.com does not provide KRA.
ipa: INFO: Starting new HTTPS connection (1): first-master.sample.com
ipa: INFO: Starting new HTTPS connection (2): first-master.sample.com
('Connection aborted.', error(111, 'Connection refused'))

#### Expected behavior
(what do you expect to happen)

#### Version/Release/Distribution
   $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

#### Additional info:
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.6-11.el7.centos.x86_64
ipa-client-4.6.6-11.el7.centos.x86_64
389-ds-base-1.3.10.1-5.el7.x86_64
pki-ca-10.5.17-6.el7.noarch
krb5-server-1.15.1-46.el7.x86_64

DOmain level 
-----------------------
Current domain level: 1
-----------------------



Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting

--- Additional comment from Rob Crittenden on 2021-07-22 18:45:11 UTC ---

Upstream PR https://github.com/freeipa/freeipa/pull/5908
Comment 1 Rob Crittenden 2021-07-22 18:48:28 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/10bd66dd1a14fc0bd39c489d0d0af76b0f720c96
https://pagure.io/freeipa/c/2097776e5e5d699575d0dc0e7006b5e50fbc6f9e
Comment 2 Rob Crittenden 2021-07-23 12:53:20 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/0b9adf1d8d5efb48e734650e4101e8816b01e1d3
https://pagure.io/freeipa/c/8ea8f8b68b5a7217518f68065a5fc1df16126314
Comment 6 Kaleem 2021-07-29 14:07:11 UTC 
Test( test_removal_of_server_raises_error_about_last_kra ) is executed and successful in nightly compose (RHEL-9.0.0-20210728.4), based on this info moving it to verified

snip from automation log files:

(1) test-result.txt.gz

============================= test session starts ==============================
platform linux -- Python 3.9.6, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
...
collecting ... collected 16 items

test_integration/test_server_del.py::TestLastServices::test_removal_of_server_raises_error_about_last_kra PASSED [ 93%]


(2) runner.log 

2021-07-29T12:06:28+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2021-07-29T12:06:28+0000   msg:
2021-07-29T12:06:28+0000   - arch: x86_64
2021-07-29T12:06:28+0000     epoch: null
2021-07-29T12:06:28+0000     name: ipa-server
2021-07-29T12:06:28+0000     release: 4.el9
2021-07-29T12:06:28+0000     source: rpm
2021-07-29T12:06:28+0000     version: 4.9.6
Comment 8 Rob Crittenden 2021-11-22 19:39:46 UTC 
Additional change

Fixed upstream
master:
https://pagure.io/freeipa/c/3bcbc869f6e1cce441294b98d4fa3688f5917042
Comment 9 Florence Blanc-Renaud 2021-11-23 09:24:57 UTC 
Additional change
ipa-4-9:
https://pagure.io/freeipa/c/1c66226e83bb8797122d3925b555516201edb8bd