1356102 – Server uninstall does not stop tracking lightweight sub-CA with certmonger

Bug 1356102 - Server uninstall does not stop tracking lightweight sub-CA with certmonger

Summary: Server uninstall does not stop tracking lightweight sub-CA with certmonger

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-13 12:09 UTC by Petr Vobornik
Modified:	2016-11-04 05:58 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-4.4.0-2.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:58:04 UTC
Target Upstream Version:

Attachments	(Terms of Use)
console.log (2.15 KB, text/plain) 2016-09-15 07:46 UTC, Abhijeet Kasurde	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-07-13 12:09:36 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6020

`ipa-server-install --uninstall` leaves lightweight sub-CA certs tracked by certmonger:
{{{
# ipa-server-install --uninstall -U
...
ipa         : ERROR    Some certificates may still be tracked by certmonger.
This will cause re-installation to fail.
Start the certmonger service and list the certificates being tracked
 # getcert list
These may be untracked by executing
 # getcert stop-tracking -i <request_id>
for each id in: 20160701035553
...

# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160701035553':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB'
	issuer: CN=Certificate Authority,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
	subject: CN=Sub-CA 1,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
	expires: 2036-07-01 03:38:35 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb"
	track: yes
	auto-renew: yes
}}}

Fix `ipa-server-install` to stop tracking all lightweight sub-CA certs on uninstall.

Comment 1 Petr Vobornik 2016-07-13 12:10:14 UTC

fixed upstream

88841a561922fd9a57f3c473833f2ff26c8061ec uninstall: untrack lightweight CA certs

Comment 3 Abhijeet Kasurde 2016-09-15 07:46:53 UTC

Created attachment 1201154 [details]
console.log

Comment 4 Abhijeet Kasurde 2016-09-15 07:47:41 UTC

Verified using IPA version ::
ipa-server-4.4.0-11.el7.x86_64

Marking BZ as verified.

Comment 6 errata-xmlrpc 2016-11-04 05:58:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.