Bug 681334
Summary: | Uninstalling ipa-client doesn't remove cert | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Namita Soman <nsoman> | ||||||
Component: | ipa | Assignee: | Rob Crittenden <rcritten> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 6.1 | CC: | benl, dpal, jgalipea, nalin | ||||||
Target Milestone: | beta | ||||||||
Target Release: | 6.1 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | ipa-2.0.0-14.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2011-05-19 13:44:33 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Namita Soman
2011-03-01 19:47:14 UTC
Can you attach /var/log/ipaclient-install.log and /var/log/ipaclient-uninstall.log? If this is easily reproducable can you: 0. Make sure certmonger isn't already tracking any certs 1. ipa-client-install <options> 2. ipa-getcert list 3. ipa-client-install --uninstall 4. service certmonger start 5. ipa-getcert list And attach the client install/uninstall log and the output from the two ipa-getcert commands? Created attachment 481864 [details]
Install log
Created attachment 481865 [details]
Uninstall log
After install: output for: ipa-getcert list [root@rhel61-client ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20110301182803': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm,token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes After uninstall: output for: ipa-getcert list [root@rhel61-client ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20110301182803': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm,token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes I see what the problem is. We only stop tracking the request if it has been issued. In ipa-client-install look for: if nickname_exists(client_nss_nickname): ... We only want to try to remove the cert if it exists but we always want to call certmonger.stop_tracking (I think). It should handle cases where the cert isn't requested, requested but not issued or issued. master: 61d70657ab93bb4ce74013dcfef9b9592460caaf Verified. Install doesn't display the error anymore, and debug logs have: 2011-03-11 07:49:26,434 DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM 2011-03-11 07:49:26,435 DEBUG stdout=New signing request "20110311124926" added. And uninstall logs have: 2011-03-11 07:49:05,354 DEBUG args=/usr/bin/ipa-getcert stop-tracking -i 20110311124853 2011-03-11 07:49:05,355 DEBUG stdout=Request "20110311124853" removed. verified with: ipa-client-2.0.0-13.20110310T0728zgited5cffd.el6.x86_64 not getting "Verified" as a status option..changing to "Modified" per comment 10 - setting bug status to verified. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0631.html |