Bug 2214933

Summary: Uninstalling of the IPA server is encountering a failure during the unconfiguration of the CA (Unconfiguring CA)
Product: Red Hat Enterprise Linux 9 Reporter: Varun Mylaraiah <mvarun>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.3CC: amore, gkaihoro, rcritten, tscherf, twoerner
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.10.2-2.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:34:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-07-03   

Description Varun Mylaraiah 2023-06-14 06:52:10 UTC
Created attachment 1970814 [details]
uninstall log

Description of problem:
Uninstalling of the IPA server is encountering a failure during the unconfiguration of the CA (Unconfiguring CA)

Version-Release number of selected component (if applicable):
# rpm -qa ipa-server*
ipa-server-common-4.10.2-1.el9.noarch
ipa-server-4.10.2-1.el9.x86_64
ipa-server-dns-4.10.2-1.el9.noarch

# rpm -qa idm-pki-*
idm-pki-base-11.4.2-1.el9.noarch
idm-pki-java-11.4.2-1.el9.noarch
idm-pki-tools-11.4.2-1.el9.x86_64
idm-pki-server-11.4.2-1.el9.noarch
idm-pki-acme-11.4.2-1.el9.noarch
idm-pki-ca-11.4.2-1.el9.noarch
idm-pki-kra-11.4.2-1.el9.noarch

How reproducible:
100%

Steps to Reproduce:
1. install ipa server 
#ipa-server-install --setup-dns --forwarder=10.11.5.19 --hostname=master.ipadomain.test -r IPADOMAIN.TEST -n ipadomain.test --ip-address=<ipaddress> -p <xxxpasswordxxxx> -a <xxxpasswordxxxx> -U

2. uninstall ipa server 
#ipa server-install --uninstall -U


Console output:
#ipa-server-install --setup-dns --forwarder=10.11.5.19 --hostname=master.ipadomain.test -r IPADOMAIN.TEST -n ipadomain.test --ip-address=<ipaddress> -p <xxxpasswordxxxx> -a <xxxpasswordxxxx> -U

This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.10.2

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: master.ipadomain.test
Realm: IPADOMAIN.TEST
DNS Domain: ipadomain.test
IPA Server: master.ipadomain.test
BaseDN: dc=ipadomain,dc=test

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring ipadomain.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful




# ipa-server-install --uninstall -U
Updating DNS system records
Invalid IP address fe80::f816:3eff:fe21:ea4d for master.ipadomain.test.: cannot use link-local IP address fe80::f816:3eff:fe21:ea4d
Forcing removal of master.ipadomain.test
------------------------------------------
Deleted IPA server "master.ipadomain.test"
------------------------------------------
Shutting down all IPA services
Unconfiguring CA
failed to uninstall CA instance CalledProcessError(Command ['/usr/sbin/pkidestroy', '-i', 'pki-tomcat', '-s', 'CA', '--log-file', '/var/log/pki/pki-ca-destroy.20230614020451.log'] returned non-zero exit status 1: 'SSLSocketException: Unable to connect: (-5961) TCP connection reset by peer.\nERROR: Unable to remove CA from security domain\nERROR: To remove manually:\nERROR: $ pki -U https://master.ipadomain.test:8443 -n <admin> securitydomain-host-del "CA master.ipadomain.test 443"\nERROR: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-n\', \'subsystemCert cert-pki-ca\', \'-U\', \'https://master.ipadomain.test:8443\', \'--ignore-banner\', \'securitydomain-leave\', \'--type\', \'CA\', \'--hostname\', \'master.ipadomain.test\', \'--secure-port\', \'443\', \'CA master.ipadomain.test 443\']\' returned non-zero exit status 255.\nERROR: CalledProcessError: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-n\', \'subsystemCert cert-pki-ca\', \'-U\', \'https://master.ipadomain.test:8443\', \'--ignore-banner\', \'securitydomain-leave\', \'--type\', \'CA\', \'--hostname\', \'master.ipadomain.test\', \'--secure-port\', \'443\', \'CA master.ipadomain.test 443\']\' returned non-zero exit status 255.\n  File "/usr/lib/python3.9/site-packages/pki/server/pkidestroy.py", line 255, in main\n    scriptlet.destroy(deployer)\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/initialization.py", line 220, in destroy\n    deployer.leave_security_domain(instance, subsystem)\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 1448, in leave_security_domain\n    subsystem.leave_security_domain(\n  File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 1591, in leave_security_domain\n    subprocess.check_call(cmd)\n  File "/usr/lib64/python3.9/subprocess.py", line 373, in check_call\n    raise CalledProcessError(retcode, cmd)\n\n')
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa-otpd
Removing IPA client configuration
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful
The ipa-server-install command was successful

Comment 2 Florence Blanc-Renaud 2023-06-14 09:57:01 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/9330

Comment 3 Varun Mylaraiah 2023-06-14 09:58:23 UTC
Additional information:

also, Failure was noticed in the ipa-server-4.10.1-7 and idm-pki-ca-11.4.2-1

But it was working fine with ipa-server-4.10.1-6 and idm-pki-ca-11.3.0-1

Comment 4 Florence Blanc-Renaud 2023-06-14 09:59:34 UTC
The issue was also seen upstream and appeared with PKI 11.4.
With earlier versions, pki destroy is successful even if the PKI service is down. With 11.4 it fails.

IPA uninstallation stops the pki service before calling pkidestroy, we should investigate if it's possible to keep pki running.

Comment 5 Thomas Woerner 2023-06-14 10:03:26 UTC
There are two issues here:

"Unconfiguring CA" is failing

AND

"ipa-server-install --uninstall -U" is not failing.

Comment 6 Rob Crittenden 2023-06-14 11:57:07 UTC
The uninstall not failing if any component fails to uninstall is working as expected. It charges on and the uninstaller is idempotent so can be re-run.

There are several valid use-cases to uninstall any component where it is not running:
- it wasn't completely set up in the first place (deployment fails)
- some configuration is in such a state the component simply won't start (e.g. expired certificates)

I think the pki team is going to need to address this.

Comment 7 Florence Blanc-Renaud 2023-06-14 13:20:54 UTC
Upstream PR: https://github.com/freeipa/freeipa/pull/6881

Comment 9 Florence Blanc-Renaud 2023-06-21 19:11:01 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/67a33e5a305c7510fb182f84e46f304043f6ab37
https://pagure.io/freeipa/c/6c84ae5c3035ecd917404cc41c32a4b25c607b46


Test case available upstream: test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault

Comment 11 anuja 2023-07-05 07:01:40 UTC
Test result without fix:

FAILED test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault
============== 1 failed, 1 passed, 1 warning in 746.24s (0:12:26) ==============



===========================================================================================================================================================

Test result with fix using test-compose:

test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault PASSED [ 50%]
test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_no_error_message_with_uninstall_ipa_with_kra PASSED [100%]

=============================== warnings summary ===============================
================== 2 passed, 1 warning in 1135.84s (0:18:55) ===================

Comment 14 anuja 2023-07-12 12:41:51 UTC
Verified using nightly build:
ipa-4.10.2-2.el9

test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault PASSED [ 50%]
test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_no_error_message_with_uninstall_ipa_with_kra PASSED [100%]

----------- generated html file: file:///home/cloud-user/report.html -----------
================== 2 passed, 1 warning in 1123.16s (0:18:43) ===================

Comment 17 errata-xmlrpc 2023-11-07 08:34:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6477