RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1740702 - IdM should call into Dogtag to dynamically update the security domain info
Summary: IdM should call into Dogtag to dynamically update the security domain info
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Thomas Woerner
QA Contact: ipa-qe
: 2018535 2021880 (view as bug list)
Depends On: 1740697
TreeView+ depends on / blocked
Reported: 2019-08-13 14:13 UTC by Thorsten Scherf
Modified: 2022-10-05 09:18 UTC (History)
18 users (show)

Fixed In Version: ipa-4.9.8-1.module+el8.6.0+13486+dbe20af2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-05-10 14:08:44 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7003 0 None None None 2021-10-01 08:29:55 UTC
Red Hat Product Errata RHEA-2022:1884 0 None None None 2022-05-10 14:09:05 UTC

Description Thorsten Scherf 2019-08-13 14:13:34 UTC
Description of problem:
When an IdM system with CA/KRA role is removed from  IdM topology, IdM should call into Dogtag to also remove this system from the security domain info. 

At the moment there is an inconsistency between the output from 'pki' and 'ipa' tools.

See also https://bugzilla.redhat.com/show_bug.cgi?id=1740697

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 1 Alexander Bokovoy 2019-08-14 12:21:36 UTC
We need to hook this into CA/KRA uninstaller but also a cleanup job could be done in ipa-server-upgrade.

Comment 2 Fraser Tweedale 2019-08-16 02:07:04 UTC
Adding dependency on 1740697.

Comment 8 Petr Čech 2021-01-06 09:18:36 UTC

*** This bug has been marked as a duplicate of bug 1902173 ***

Comment 9 Rob Crittenden 2021-06-04 13:11:23 UTC
Re-opening as the related BZ didn't address the security domain cleanup.

Comment 19 Rob Crittenden 2021-07-20 17:42:16 UTC
Upstream ticket:

Comment 20 Florence Blanc-Renaud 2021-08-16 07:15:16 UTC
Fixed upstream

Test added upstream in test_integration/test_server_del.py::TestLastServices::test_removal_of_server_raises_error_about_last_kra

Comment 21 Rob Crittenden 2021-08-17 18:08:06 UTC
Additioanl fix that prevented upgrades in a CA-less environment

Fixed upstream

Comment 23 Rob Crittenden 2021-08-18 16:04:50 UTC
Additional fix that prevented upgrades in a CA-less environment

Fixed upstream

Comment 24 Rob Crittenden 2021-10-29 17:22:48 UTC
*** Bug 2018535 has been marked as a duplicate of this bug. ***

Comment 26 Rob Crittenden 2021-11-01 21:28:57 UTC
Sorry about that. The CA has its own authentication system outside of IPA.

This should do the trick:

pki -d /var/lib/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -C /var/lib/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del 'CA ipa.example.test 443'

These options authenticate using the certificate that the CA uses for its LDAP binds. It has permissions to do this removal.

Take care when executing this as removing the wrong host may require re-installation of that host. I'm not aware of a way to re-create these entries.

Comment 27 Rob Crittenden 2021-11-10 19:53:51 UTC
*** Bug 2021880 has been marked as a duplicate of this bug. ***

Comment 43 Marc Sauton 2022-01-08 01:01:14 UTC
the issue is when a replica with a CA or KRA role is uninstalled, the IPA LDAP backend keeps that replica roles references under cn=masters,cn=ipa,cn=etc,dc=idm,dc=example,dc=test so IPA and the ipa-healthcheck 's IPADogtagCertsMatchCheck test think the is a configured CA

could be tested with

cat << EOF > ~/test.api
from ipaserver.install import cainstance

cat ~/test.api | ipa console

class IPADogtagCertsMatchCheck(IPAPlugin):
    def check(self):
        if not self.ca.is_configured():  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< finds a CA role from ipaConfigString in cn=CA,cn=some-replica-hostname,cn=masters,cn=ipa,cn=etc,dc=xx
            logger.debug('CA is not configured, skipping connectivity check')

        def match_ldap_nss_cert(plugin, ldap, db, cert_dn, attr, cert_nick):
                entry = ldap.get_entry(cert_dn)
            if not cert_matched:
                yield Result(plugin, constants.ERROR,
                             msg=('{nickname} certificate in NSS DB {dbdir} '
                                  'does not match entry in LDAP'))
                return False
            return True

for example on an ipaserver1 where ipaserver was removed/uninstalled:

ipa server-role-find --role="CA server"
2 server roles matched
  Server name: ipaserver1.idm.example.test
  Role name: CA server
  Role status: enabled

  Server name: ipaserver2.idm.example.test <<<<<<<<<<<<<<<<<<
  Role name: CA server   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 
  Role status: configured  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Number of entries returned 2
[root@ipaserver1 ~]# 

ldapsearch -o ldif-wrap=no -LLLx -D "cn=directory manager" -w password -b cn=masters,cn=ipa,cn=etc,dc=idm,dc=example,dc=test cn=CA cn ipaConfigString
dn: cn=CA,cn=ipaserver1.idm.example.test,cn=masters,cn=ipa,cn=etc,dc=idm,dc=example,dc=test
cn: CA
ipaConfigString: startOrder 50
ipaConfigString: caRenewalMaster
ipaConfigString: enabledService

dn: cn=CA,cn=ipaserver2.idm.example.test,cn=masters,cn=ipa,cn=etc,dc=idm,dc=example,dc=test  <<<<<<<<<<<
cn: CA
ipaConfigString: configuredService  <<<<<<<<<<<<<<<<<
ipaConfigString: startOrder 50       <<<<<<<<<<<<<<<<<<<<<

as a workaround, the entry 
could probably be removed with a ldapdelete if there is really no CA installed

and there are left overs under o=ipaca for the either uninstalled or CA role removed from ipaserver2, specially in the "PKI registry" / "PKI security domain"

ldapsearch -o ldif-wrap=no -LLLx -D "cn=directory manager" -w password -b o=ipaca cn=*ipaserver2* dn
dn: uid=CA-ipaserver2.idm.example.test-8443,ou=people,o=ipaca

dn: cn=ipaserver2.idm.example.test:443,cn=CAList,ou=Security Domain,o=ipaca

dn: uid=acme-ipaserver2.idm.example.test,ou=people,o=ipaca

Comment 44 Rob Crittenden 2022-01-08 01:33:51 UTC
Marc, this is a completely different issue altogether. I've not reproduced it myself. It could have to do with the way the IPA server is being removed from rotation. `ipa server-del <host>` should clean these up.

This bug is about the dogtag-specific securitydomain capability which is what triggers the healthcheck errors because we weren't cleaning it up on uninstall.

Comment 45 Mohammad Rizwan 2022-01-13 12:12:00 UTC

============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.11.0, pluggy-1.0.0 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-358.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 16 items

test_integration/test_server_del.py::TestServerDel::test_removal_of_nonexistent_master_raises_error PASSED [  6%]
test_integration/test_server_del.py::TestServerDel::test_forced_removal_of_nonexistent_master PASSED [ 12%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_replica1_disconnects_domain_topology PASSED [ 18%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_replica2_disconnects_ca_topology PASSED [ 25%]
test_integration/test_server_del.py::TestServerDel::test_ignore_topology_disconnect_replica1 PASSED [ 31%]
test_integration/test_server_del.py::TestServerDel::test_ignore_topology_disconnect_replica2 PASSED [ 37%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_master_disconnects_both_topologies PASSED [ 43%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_replica1 PASSED [ 50%]
test_integration/test_server_del.py::TestServerDel::test_removal_of_replica2 PASSED [ 56%]
test_integration/test_server_del.py::TestLastServices::test_removal_of_master_raises_error_about_last_dns PASSED [ 62%]
test_integration/test_server_del.py::TestLastServices::test_install_dns_on_replica1_and_dnssec_on_master PASSED [ 68%]
test_integration/test_server_del.py::TestLastServices::test_removal_of_master_raises_error_about_dnssec PASSED [ 75%]
test_integration/test_server_del.py::TestLastServices::test_disable_dnssec_on_master PASSED [ 81%]
test_integration/test_server_del.py::TestLastServices::test_removal_of_master_raises_error_about_last_ca PASSED [ 87%]
test_integration/test_server_del.py::TestLastServices::test_removal_of_server_raises_error_about_last_kra PASSED [ 93%]
test_integration/test_server_del.py::TestLastServices::test_forced_removal_of_master PASSED [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
========================= 16 passed in 3896.89 seconds =========================

Automation passed for test_removal_of_server_raises_error_about_last_kra, Hence marking the bug as verified.


Comment 49 errata-xmlrpc 2022-05-10 14:08:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.