2214933 – Uninstalling of the IPA server is encountering a failure during the unconfiguration of the CA (Unconfiguring CA)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2214933 - Uninstalling of the IPA server is encountering a failure during the unconfiguration of the CA (Unconfiguring CA)

Summary: Uninstalling of the IPA server is encountering a failure during the unconfigu...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2023-07-03
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	9.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-14 06:52 UTC by Varun Mylaraiah
Modified:	2023-11-07 09:54 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-4.10.2-2.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-07 08:34:14 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 9330	None	None	None	2023-06-14 09:57:04 UTC
Red Hat Issue Tracker	FREEIPA-10015	None	None	None	2023-06-14 10:13:51 UTC
Red Hat Issue Tracker	RHELPLAN-159811	None	None	None	2023-06-14 10:13:56 UTC
Red Hat Product Errata	RHBA-2023:6477	None	None	None	2023-11-07 08:35:00 UTC

Description Varun Mylaraiah 2023-06-14 06:52:10 UTC

Created attachment 1970814 [details]
uninstall log

Description of problem:
Uninstalling of the IPA server is encountering a failure during the unconfiguration of the CA (Unconfiguring CA)

Version-Release number of selected component (if applicable):
# rpm -qa ipa-server*
ipa-server-common-4.10.2-1.el9.noarch
ipa-server-4.10.2-1.el9.x86_64
ipa-server-dns-4.10.2-1.el9.noarch

# rpm -qa idm-pki-*
idm-pki-base-11.4.2-1.el9.noarch
idm-pki-java-11.4.2-1.el9.noarch
idm-pki-tools-11.4.2-1.el9.x86_64
idm-pki-server-11.4.2-1.el9.noarch
idm-pki-acme-11.4.2-1.el9.noarch
idm-pki-ca-11.4.2-1.el9.noarch
idm-pki-kra-11.4.2-1.el9.noarch

How reproducible:
100%

Steps to Reproduce:
1. install ipa server 
#ipa-server-install --setup-dns --forwarder=10.11.5.19 --hostname=master.ipadomain.test -r IPADOMAIN.TEST -n ipadomain.test --ip-address=<ipaddress> -p <xxxpasswordxxxx> -a <xxxpasswordxxxx> -U

2. uninstall ipa server 
#ipa server-install --uninstall -U


Console output:
#ipa-server-install --setup-dns --forwarder=10.11.5.19 --hostname=master.ipadomain.test -r IPADOMAIN.TEST -n ipadomain.test --ip-address=<ipaddress> -p <xxxpasswordxxxx> -a <xxxpasswordxxxx> -U

This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.10.2

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: master.ipadomain.test
Realm: IPADOMAIN.TEST
DNS Domain: ipadomain.test
IPA Server: master.ipadomain.test
BaseDN: dc=ipadomain,dc=test

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring ipadomain.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful




# ipa-server-install --uninstall -U
Updating DNS system records
Invalid IP address fe80::f816:3eff:fe21:ea4d for master.ipadomain.test.: cannot use link-local IP address fe80::f816:3eff:fe21:ea4d
Forcing removal of master.ipadomain.test
------------------------------------------
Deleted IPA server "master.ipadomain.test"
------------------------------------------
Shutting down all IPA services
Unconfiguring CA
failed to uninstall CA instance CalledProcessError(Command ['/usr/sbin/pkidestroy', '-i', 'pki-tomcat', '-s', 'CA', '--log-file', '/var/log/pki/pki-ca-destroy.20230614020451.log'] returned non-zero exit status 1: 'SSLSocketException: Unable to connect: (-5961) TCP connection reset by peer.\nERROR: Unable to remove CA from security domain\nERROR: To remove manually:\nERROR: $ pki -U https://master.ipadomain.test:8443 -n <admin> securitydomain-host-del "CA master.ipadomain.test 443"\nERROR: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-n\', \'subsystemCert cert-pki-ca\', \'-U\', \'https://master.ipadomain.test:8443\', \'--ignore-banner\', \'securitydomain-leave\', \'--type\', \'CA\', \'--hostname\', \'master.ipadomain.test\', \'--secure-port\', \'443\', \'CA master.ipadomain.test 443\']\' returned non-zero exit status 255.\nERROR: CalledProcessError: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-n\', \'subsystemCert cert-pki-ca\', \'-U\', \'https://master.ipadomain.test:8443\', \'--ignore-banner\', \'securitydomain-leave\', \'--type\', \'CA\', \'--hostname\', \'master.ipadomain.test\', \'--secure-port\', \'443\', \'CA master.ipadomain.test 443\']\' returned non-zero exit status 255.\n  File "/usr/lib/python3.9/site-packages/pki/server/pkidestroy.py", line 255, in main\n    scriptlet.destroy(deployer)\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/initialization.py", line 220, in destroy\n    deployer.leave_security_domain(instance, subsystem)\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 1448, in leave_security_domain\n    subsystem.leave_security_domain(\n  File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 1591, in leave_security_domain\n    subprocess.check_call(cmd)\n  File "/usr/lib64/python3.9/subprocess.py", line 373, in check_call\n    raise CalledProcessError(retcode, cmd)\n\n')
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa-otpd
Removing IPA client configuration
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful
The ipa-server-install command was successful

Comment 2 Florence Blanc-Renaud 2023-06-14 09:57:01 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/9330

Comment 3 Varun Mylaraiah 2023-06-14 09:58:23 UTC

Additional information:

also, Failure was noticed in the ipa-server-4.10.1-7 and idm-pki-ca-11.4.2-1

But it was working fine with ipa-server-4.10.1-6 and idm-pki-ca-11.3.0-1

Comment 4 Florence Blanc-Renaud 2023-06-14 09:59:34 UTC

The issue was also seen upstream and appeared with PKI 11.4.
With earlier versions, pki destroy is successful even if the PKI service is down. With 11.4 it fails.

IPA uninstallation stops the pki service before calling pkidestroy, we should investigate if it's possible to keep pki running.

Comment 5 Thomas Woerner 2023-06-14 10:03:26 UTC

There are two issues here:

"Unconfiguring CA" is failing

AND

"ipa-server-install --uninstall -U" is not failing.

Comment 6 Rob Crittenden 2023-06-14 11:57:07 UTC

The uninstall not failing if any component fails to uninstall is working as expected. It charges on and the uninstaller is idempotent so can be re-run.

There are several valid use-cases to uninstall any component where it is not running:
- it wasn't completely set up in the first place (deployment fails)
- some configuration is in such a state the component simply won't start (e.g. expired certificates)

I think the pki team is going to need to address this.

Comment 7 Florence Blanc-Renaud 2023-06-14 13:20:54 UTC

Upstream PR: https://github.com/freeipa/freeipa/pull/6881

Comment 9 Florence Blanc-Renaud 2023-06-21 19:11:01 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/67a33e5a305c7510fb182f84e46f304043f6ab37
https://pagure.io/freeipa/c/6c84ae5c3035ecd917404cc41c32a4b25c607b46


Test case available upstream: test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault

Comment 10 Florence Blanc-Renaud 2023-06-22 15:46:37 UTC

Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/f93a6d3ff52247ce5e582816fec689b8901fc984
https://pagure.io/freeipa/c/b9a07b1e97ee4e310b50860103872685da540da4

Comment 11 anuja 2023-07-05 07:01:40 UTC

Test result without fix:

FAILED test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault
============== 1 failed, 1 passed, 1 warning in 746.24s (0:12:26) ==============



===========================================================================================================================================================

Test result with fix using test-compose:

test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault PASSED [ 50%]
test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_no_error_message_with_uninstall_ipa_with_kra PASSED [100%]

=============================== warnings summary ===============================
================== 2 passed, 1 warning in 1135.84s (0:18:55) ===================

Comment 14 anuja 2023-07-12 12:41:51 UTC

Verified using nightly build:
ipa-4.10.2-2.el9

test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault PASSED [ 50%]
test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_no_error_message_with_uninstall_ipa_with_kra PASSED [100%]

----------- generated html file: file:///home/cloud-user/report.html -----------
================== 2 passed, 1 warning in 1123.16s (0:18:43) ===================

Comment 17 errata-xmlrpc 2023-11-07 08:34:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6477

Note You need to log in before you can comment on or make changes to this bug.