Bug 1356102 - Server uninstall does not stop tracking lightweight sub-CA with certmonger
Summary: Server uninstall does not stop tracking lightweight sub-CA with certmonger
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-13 12:09 UTC by Petr Vobornik
Modified: 2016-11-04 05:58 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2016-11-04 05:58:04 UTC

Attachments (Terms of Use)
console.log (2.15 KB, text/plain)
2016-09-15 07:46 UTC, Abhijeet Kasurde
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-07-13 12:09:36 UTC
This bug is created as a clone of upstream ticket:

`ipa-server-install --uninstall` leaves lightweight sub-CA certs tracked by certmonger:
# ipa-server-install --uninstall -U
ipa         : ERROR    Some certificates may still be tracked by certmonger.
This will cause re-installation to fail.
Start the certmonger service and list the certificates being tracked
 # getcert list
These may be untracked by executing
 # getcert stop-tracking -i <request_id>
for each id in: 20160701035553

# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160701035553':
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB'
	issuer: CN=Certificate Authority,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
	expires: 2036-07-01 03:38:35 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb"
	track: yes
	auto-renew: yes

Fix `ipa-server-install` to stop tracking all lightweight sub-CA certs on uninstall.

Comment 1 Petr Vobornik 2016-07-13 12:10:14 UTC
fixed upstream

88841a561922fd9a57f3c473833f2ff26c8061ec uninstall: untrack lightweight CA certs

Comment 3 Abhijeet Kasurde 2016-09-15 07:46 UTC
Created attachment 1201154 [details]

Comment 4 Abhijeet Kasurde 2016-09-15 07:47:41 UTC
Verified using IPA version ::

Marking BZ as verified.

Comment 6 errata-xmlrpc 2016-11-04 05:58:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.