Bug 1356102 - Server uninstall does not stop tracking lightweight sub-CA with certmonger
Summary: Server uninstall does not stop tracking lightweight sub-CA with certmonger
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-13 12:09 UTC by Petr Vobornik
Modified: 2016-11-04 05:58 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 05:58:04 UTC

Attachments (Terms of Use)
console.log (2.15 KB, text/plain)
2016-09-15 07:46 UTC, Abhijeet Kasurde 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-07-13 12:09:36 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6020

`ipa-server-install --uninstall` leaves lightweight sub-CA certs tracked by certmonger:
{{{
# ipa-server-install --uninstall -U
...
ipa         : ERROR    Some certificates may still be tracked by certmonger.
This will cause re-installation to fail.
Start the certmonger service and list the certificates being tracked
 # getcert list
These may be untracked by executing
 # getcert stop-tracking -i <request_id>
for each id in: 20160701035553
...

# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160701035553':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB'
	issuer: CN=Certificate Authority,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
	subject: CN=Sub-CA 1,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
	expires: 2036-07-01 03:38:35 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb"
	track: yes
	auto-renew: yes
}}}

Fix `ipa-server-install` to stop tracking all lightweight sub-CA certs on uninstall.
Comment 1 Petr Vobornik 2016-07-13 12:10:14 UTC 
fixed upstream

88841a561922fd9a57f3c473833f2ff26c8061ec uninstall: untrack lightweight CA certs
Comment 3 Abhijeet Kasurde 2016-09-15 07:46 UTC 
Created attachment 1201154 [details]
console.log
Comment 4 Abhijeet Kasurde 2016-09-15 07:47:41 UTC 
Verified using IPA version ::
ipa-server-4.4.0-11.el7.x86_64

Marking BZ as verified.
Comment 6 errata-xmlrpc 2016-11-04 05:58:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.