Bug 1081626
| Summary: | When certmonger is still tracking cert in ipa, uninstall fails but error does not indicate this | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Namita Soman <nsoman> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | dpal, ksiddiqu, mkosek, nalin, nsoman, rcritten, tbabej |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.0.3-1.el7 | Doc Type: | Known Issue |
| Doc Text: |
An IPA master is uninstalled while SSL certificates for services other than IPA servers are tracked by the certmonger service. Consequently, an unexpected error can occur, and the uninstallation process fails. To work around this problem, start certmonger, and run the ipa-getcert command to list the tracked certificates. Then run the "ipa-getcert stop-tracking -i <Request ID>" command to stop certmonger from tracking the certificates, and run the IPA uninstall script again.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:10:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Namita Soman
2014-03-27 17:50:23 UTC
Just to confirm, you added two additional certificates to be tracked prior to uninstallation, one in a temporary database and one in /etc/httpd/alias, correct?
Steps taken:
# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$HOSTNAME -r $RELM -p $ADMINPW -P $ADMINPW -a $ADMINPW -U
# kinit admin
# ipa host-add bz817080.$DOMAIN --force"
# mkdir -p /tmp/certdb
# echo Secret123 > /tmp/certdb/passwd1
# certutil -f /tmp/certdb/passwd1 -N -d /tmp/certdb
# certutil -f /tmp/certdb/passwd1 -R -s 'cn=bz817080.testrelm.com,o=testrelm.com' -d /tmp/certdb -z /etc/group -a > /tmp/certdb/bz817080.csr
# ipa cert-request --add --principal bz817080/bz817080.testrelm.com /tmp/certdb/bz817080.csr > /tmp/certdb/bz817080.crt
Serial number was 11
# ipa cert-show --out=/tmp/certdb/bz817080.crt 11
And to answer the needinfo ques....yes - as below:
:: [ PASS ] :: Running 'certutil -f /tmp/certdb/passwd1 -A -n bz817080 -d /tmp/certdb -t u,u,u -a < /tmp/certdb/bz817080.crt' (Expected 0, got 0)
New tracking request "20140327164857" added.
:: [ PASS ] :: Running 'ipa-getcert start-tracking -d /tmp/certdb -n bz817080' (Expected 0, got 0)
Notice: Trust flag u is set automatically if the private key is present.
:: [ PASS ] :: Running 'certutil -f /tmp/certdb/passwd1 -A -n bz817080 -d /etc/httpd/alias -t u,u,u -a < /tmp/certdb/bz817080.crt' (Expected 0, got 0)
New tracking request "20140327164858" added.
:: [ PASS ] :: Running 'ipa-getcert start-tracking -d /etc/httpd/alias -n bz817080' (Expected 0, got 0)
*** Bug 1080844 has been marked as a duplicate of this bug. *** Rob, is this purely a certmonger issue then (Nalin CCed) or do you see a possible improvement in IPA as well? I don't know what the tmp file contains. I don't think this is a "bug" in certmonger though, as we are really poking our noses into its private data. IMHO assuming there are no plans to change the certmonger request filename format, it may even be worthwhile to add a regex of filenames to look for and ignore the rest. At a minimum IPA should have a try/except around the open to fail gracefully. In this case it probably shouldn't give up completely, just move to the next file in the list, and log somewhere. Ok, makes sense. I will clone an upstream ticket. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4280 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6d94cdf250c470bf77a0e769ea30a90fa5815b81 ipa-4-1: https://fedorahosted.org/freeipa/changeset/78b2a7abbb33f9b880b2920812c443e86a7d3c06 ipa-4-0: https://fedorahosted.org/freeipa/changeset/ff6e43cc14b846531aac37a0250eb079db9aac6e IPA now uses proper certmonger dbus API and does not touch internal config files. So bugs like this one should no longer appear. Verified. IPA version: ============ ipa-server-4.1.0-12.el7.x86_64 Snip from automation log: ========================= :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipaserverinstall_bz817080 - ipa-server-install --uninstall doesn't clear certmonger dirs, which leads to install failing bz817080 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'ipa-server-install --setup-dns --forwarder=10.10.160.2 --hostname=idm-qe-05.testrelm.test -r TESTRELM.TEST -p xxxxxxxx -P xxxxxxxx -a xxxxxxxx -U' (Expected 0, got 0) :: [ PASS ] :: Command 'ipa host-add bz817080.testrelm.test --force' (Expected 0, got 0) :: [ PASS ] :: Command 'mkdir -p /tmp/certdb' (Expected 0, got 0) :: [ PASS ] :: Changing context to cert_t so that certs can be generated (Expected 0, got 0) :: [ PASS ] :: Command 'echo xxxxxxxx > /tmp/certdb/passwd1' (Expected 0, got 0) :: [ PASS ] :: Command 'certutil -f /tmp/certdb/passwd1 -N -d /tmp/certdb' (Expected 0, got 0) :: [ PASS ] :: Command 'certutil -f /tmp/certdb/passwd1 -R -s 'cn=bz817080.testrelm.test,o=testrelm.test' -d /tmp/certdb -z /etc/group -a > /tmp/certdb/bz817080.csr' (Expected 0, got 0) :: [ PASS ] :: Command 'ipa cert-request --add --principal bz817080/bz817080.testrelm.test /tmp/certdb/bz817080.csr > /tmp/certdb/bz817080.crt' (Expected 0, got 0) :: [ PASS ] :: Command 'ipa cert-show --out=/tmp/certdb/bz817080.crt 11' (Expected 0, got 0) :: [ PASS ] :: Command 'certutil -f /tmp/certdb/passwd1 -A -n bz817080 -d /tmp/certdb -t u,u,u -a < /tmp/certdb/bz817080.crt' (Expected 0, got 0) :: [ PASS ] :: Command 'ipa-getcert start-tracking -d /tmp/certdb -n bz817080' (Expected 0, got 0) :: [ PASS ] :: Command 'certutil -f /tmp/certdb/passwd1 -A -n bz817080 -d /etc/httpd/alias -t u,u,u -a < /tmp/certdb/bz817080.crt' (Expected 0, got 0) :: [ PASS ] :: Command 'ipa-getcert start-tracking -d /etc/httpd/alias -n bz817080' (Expected 0, got 0) :: [ PASS ] :: Command 'ipa-server-install --uninstall -U > /tmp/tmp.Tlb92cB1Fu/ipaserverinstall_bz817080.out 2>&1' (Expected 0, got 0) :: [ PASS ] :: Command 'cat /tmp/tmp.Tlb92cB1Fu/ipaserverinstall_bz817080.out' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmp.Tlb92cB1Fu/ipaserverinstall_bz817080.out' should contain 'ipa.*ERROR.*Some certificates may still be tracked by certmonger.' :: [ PASS ] :: File '/tmp/tmp.Tlb92cB1Fu/ipaserverinstall_bz817080.out' should contain 'This will cause re-installation to fail.' :: [ PASS ] :: File '/tmp/tmp.Tlb92cB1Fu/ipaserverinstall_bz817080.out' should contain 'Start the certmonger service and list the certificates being tracked' :: [ PASS ] :: ipa-server-install --uninstall clears certmonger dirs :: [ PASS ] :: Re-install to verify BZ 817080 not found (Expected 0, got 0) :: [ PASS ] :: Command 'getcert stop-tracking -d /tmp/certdb -n bz817080' (Expected 0, got 0) :: [ PASS ] :: Command 'rm -rf /tmp/certdb' (Expected 0, got 0) :: [ PASS ] :: Command 'getcert stop-tracking -d /etc/httpd/alias -n bz817080' (Expected 0, got 0) :: [ LOG ] :: Uninstall for next test :: [ PASS ] :: Uninstalling ipa server for next test (Expected 0, got 0) :: [ PASS ] :: Making sure that /etc/sssd/sssd.conf does not exist. BZ 819982 (Expected 2, got 2) :: [ LOG ] :: Duration: 8m 38s :: [ LOG ] :: Assertions: 25 good, 0 bad :: [ PASS ] :: RESULT: ipaserverinstall_bz817080 - ipa-server-install --uninstall doesn't clear certmonger dirs, which leads to install failing bz817080 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |