Bug 681334
| Summary: | Uninstalling ipa-client doesn't remove cert | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Namita Soman <nsoman> | ||||||
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 6.1 | CC: | benl, dpal, jgalipea, nalin | ||||||
| Target Milestone: | beta | ||||||||
| Target Release: | 6.1 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | ipa-2.0.0-14.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-05-19 13:44:33 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Can you attach /var/log/ipaclient-install.log and /var/log/ipaclient-uninstall.log? If this is easily reproducable can you: 0. Make sure certmonger isn't already tracking any certs 1. ipa-client-install <options> 2. ipa-getcert list 3. ipa-client-install --uninstall 4. service certmonger start 5. ipa-getcert list And attach the client install/uninstall log and the output from the two ipa-getcert commands? Created attachment 481864 [details]
Install log
Created attachment 481865 [details]
Uninstall log
After install: output for: ipa-getcert list [root@rhel61-client ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20110301182803': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm,token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes After uninstall: output for: ipa-getcert list [root@rhel61-client ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20110301182803': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm,token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes I see what the problem is. We only stop tracking the request if it has been issued.
In ipa-client-install look for:
if nickname_exists(client_nss_nickname):
...
We only want to try to remove the cert if it exists but we always want to call certmonger.stop_tracking (I think). It should handle cases where the cert isn't requested, requested but not issued or issued.
master: 61d70657ab93bb4ce74013dcfef9b9592460caaf Verified. Install doesn't display the error anymore, and debug logs have: 2011-03-11 07:49:26,434 DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM 2011-03-11 07:49:26,435 DEBUG stdout=New signing request "20110311124926" added. And uninstall logs have: 2011-03-11 07:49:05,354 DEBUG args=/usr/bin/ipa-getcert stop-tracking -i 20110311124853 2011-03-11 07:49:05,355 DEBUG stdout=Request "20110311124853" removed. verified with: ipa-client-2.0.0-13.20110310T0728zgited5cffd.el6.x86_64 not getting "Verified" as a status option..changing to "Modified" per comment 10 - setting bug status to verified. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0631.html |
Description of problem: Initial install adds a cert. But since this cert is not removed by an uninstall, subsequent installs though successful, throw an error: certmonger request for host certificate failed On first install, debug indicates: root : DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM root : DEBUG stdout=New signing request "20110301182803" added. Next uninstall, stderr has no errors and debug includes the below: root : DEBUG stderr= root : DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm root : DEBUG stdout= root : DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - rhel61-client.testrelm : File not found. Subsequent installs.... stderr has: certmonger request for host certificate failed debug has: root : DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM root : DEBUG stdout=Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request "20110301182803". root : DEBUG stderr= certmonger request for host certificate failed Version-Release number of selected component (if applicable): ipa-client-2.0.0-13.el6.x86_64 How reproducible: on all subsequent installs Steps to Reproduce: 1.ipa-client-install 2.ipa-client-uninstall 3.ipa-client-install Actual results: error: certmonger request for host certificate failed Expected results: no error Additional info: # certutil -K -d /etc/pki/nssdb/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 99850cc3f9fdfdca4c8865810f8ba841bcdd71e9 IPA Machine Certificate – rhel61-client.testrelm # certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI IPA CA CT,C,C