This bug is created as a clone of upstream ticket:
`ipa-server-install --uninstall` leaves lightweight sub-CA certs tracked by certmonger:
# ipa-server-install --uninstall -U
ipa : ERROR Some certificates may still be tracked by certmonger.
This will cause re-installation to fail.
Start the certmonger service and list the certificates being tracked
# getcert list
These may be untracked by executing
# getcert stop-tracking -i <request_id>
for each id in: 20160701035553
# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160701035553':
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
subject: CN=Sub-CA 1,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
expires: 2036-07-01 03:38:35 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb"
Fix `ipa-server-install` to stop tracking all lightweight sub-CA certs on uninstall.
88841a561922fd9a57f3c473833f2ff26c8061ec uninstall: untrack lightweight CA certs
Created attachment 1201154 [details]
Verified using IPA version ::
Marking BZ as verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.