RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2214933 - Uninstalling of the IPA server is encountering a failure during the unconfiguration of the CA (Unconfiguring CA)
Summary: Uninstalling of the IPA server is encountering a failure during the unconfigu...
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2023-07-03
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: ipa
Version: 9.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-14 06:52 UTC by Varun Mylaraiah
Modified: 2023-11-07 09:54 UTC (History)
5 users (show)

Fixed In Version: ipa-4.10.2-2.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-07 08:34:14 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 9330 0 None None None 2023-06-14 09:57:04 UTC
Red Hat Issue Tracker FREEIPA-10015 0 None None None 2023-06-14 10:13:51 UTC
Red Hat Issue Tracker RHELPLAN-159811 0 None None None 2023-06-14 10:13:56 UTC
Red Hat Product Errata RHBA-2023:6477 0 None None None 2023-11-07 08:35:00 UTC

Description Varun Mylaraiah 2023-06-14 06:52:10 UTC
Created attachment 1970814 [details]
uninstall log

Description of problem:
Uninstalling of the IPA server is encountering a failure during the unconfiguration of the CA (Unconfiguring CA)

Version-Release number of selected component (if applicable):
# rpm -qa ipa-server*
ipa-server-common-4.10.2-1.el9.noarch
ipa-server-4.10.2-1.el9.x86_64
ipa-server-dns-4.10.2-1.el9.noarch

# rpm -qa idm-pki-*
idm-pki-base-11.4.2-1.el9.noarch
idm-pki-java-11.4.2-1.el9.noarch
idm-pki-tools-11.4.2-1.el9.x86_64
idm-pki-server-11.4.2-1.el9.noarch
idm-pki-acme-11.4.2-1.el9.noarch
idm-pki-ca-11.4.2-1.el9.noarch
idm-pki-kra-11.4.2-1.el9.noarch

How reproducible:
100%

Steps to Reproduce:
1. install ipa server 
#ipa-server-install --setup-dns --forwarder=10.11.5.19 --hostname=master.ipadomain.test -r IPADOMAIN.TEST -n ipadomain.test --ip-address=<ipaddress> -p <xxxpasswordxxxx> -a <xxxpasswordxxxx> -U

2. uninstall ipa server 
#ipa server-install --uninstall -U


Console output:
#ipa-server-install --setup-dns --forwarder=10.11.5.19 --hostname=master.ipadomain.test -r IPADOMAIN.TEST -n ipadomain.test --ip-address=<ipaddress> -p <xxxpasswordxxxx> -a <xxxpasswordxxxx> -U

This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.10.2

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: master.ipadomain.test
Realm: IPADOMAIN.TEST
DNS Domain: ipadomain.test
IPA Server: master.ipadomain.test
BaseDN: dc=ipadomain,dc=test

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring ipadomain.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful




# ipa-server-install --uninstall -U
Updating DNS system records
Invalid IP address fe80::f816:3eff:fe21:ea4d for master.ipadomain.test.: cannot use link-local IP address fe80::f816:3eff:fe21:ea4d
Forcing removal of master.ipadomain.test
------------------------------------------
Deleted IPA server "master.ipadomain.test"
------------------------------------------
Shutting down all IPA services
Unconfiguring CA
failed to uninstall CA instance CalledProcessError(Command ['/usr/sbin/pkidestroy', '-i', 'pki-tomcat', '-s', 'CA', '--log-file', '/var/log/pki/pki-ca-destroy.20230614020451.log'] returned non-zero exit status 1: 'SSLSocketException: Unable to connect: (-5961) TCP connection reset by peer.\nERROR: Unable to remove CA from security domain\nERROR: To remove manually:\nERROR: $ pki -U https://master.ipadomain.test:8443 -n <admin> securitydomain-host-del "CA master.ipadomain.test 443"\nERROR: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-n\', \'subsystemCert cert-pki-ca\', \'-U\', \'https://master.ipadomain.test:8443\', \'--ignore-banner\', \'securitydomain-leave\', \'--type\', \'CA\', \'--hostname\', \'master.ipadomain.test\', \'--secure-port\', \'443\', \'CA master.ipadomain.test 443\']\' returned non-zero exit status 255.\nERROR: CalledProcessError: Command \'[\'pki\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-f\', \'/etc/pki/pki-tomcat/password.conf\', \'-n\', \'subsystemCert cert-pki-ca\', \'-U\', \'https://master.ipadomain.test:8443\', \'--ignore-banner\', \'securitydomain-leave\', \'--type\', \'CA\', \'--hostname\', \'master.ipadomain.test\', \'--secure-port\', \'443\', \'CA master.ipadomain.test 443\']\' returned non-zero exit status 255.\n  File "/usr/lib/python3.9/site-packages/pki/server/pkidestroy.py", line 255, in main\n    scriptlet.destroy(deployer)\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/initialization.py", line 220, in destroy\n    deployer.leave_security_domain(instance, subsystem)\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 1448, in leave_security_domain\n    subsystem.leave_security_domain(\n  File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 1591, in leave_security_domain\n    subprocess.check_call(cmd)\n  File "/usr/lib64/python3.9/subprocess.py", line 373, in check_call\n    raise CalledProcessError(retcode, cmd)\n\n')
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa-otpd
Removing IPA client configuration
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful
The ipa-server-install command was successful

Comment 2 Florence Blanc-Renaud 2023-06-14 09:57:01 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/9330

Comment 3 Varun Mylaraiah 2023-06-14 09:58:23 UTC
Additional information:

also, Failure was noticed in the ipa-server-4.10.1-7 and idm-pki-ca-11.4.2-1

But it was working fine with ipa-server-4.10.1-6 and idm-pki-ca-11.3.0-1

Comment 4 Florence Blanc-Renaud 2023-06-14 09:59:34 UTC
The issue was also seen upstream and appeared with PKI 11.4.
With earlier versions, pki destroy is successful even if the PKI service is down. With 11.4 it fails.

IPA uninstallation stops the pki service before calling pkidestroy, we should investigate if it's possible to keep pki running.

Comment 5 Thomas Woerner 2023-06-14 10:03:26 UTC
There are two issues here:

"Unconfiguring CA" is failing

AND

"ipa-server-install --uninstall -U" is not failing.

Comment 6 Rob Crittenden 2023-06-14 11:57:07 UTC
The uninstall not failing if any component fails to uninstall is working as expected. It charges on and the uninstaller is idempotent so can be re-run.

There are several valid use-cases to uninstall any component where it is not running:
- it wasn't completely set up in the first place (deployment fails)
- some configuration is in such a state the component simply won't start (e.g. expired certificates)

I think the pki team is going to need to address this.

Comment 7 Florence Blanc-Renaud 2023-06-14 13:20:54 UTC
Upstream PR: https://github.com/freeipa/freeipa/pull/6881

Comment 9 Florence Blanc-Renaud 2023-06-21 19:11:01 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/67a33e5a305c7510fb182f84e46f304043f6ab37
https://pagure.io/freeipa/c/6c84ae5c3035ecd917404cc41c32a4b25c607b46


Test case available upstream: test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault

Comment 11 anuja 2023-07-05 07:01:40 UTC
Test result without fix:

FAILED test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault
============== 1 failed, 1 passed, 1 warning in 746.24s (0:12:26) ==============



===========================================================================================================================================================

Test result with fix using test-compose:

test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault PASSED [ 50%]
test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_no_error_message_with_uninstall_ipa_with_kra PASSED [100%]

=============================== warnings summary ===============================
================== 2 passed, 1 warning in 1135.84s (0:18:55) ===================

Comment 14 anuja 2023-07-12 12:41:51 UTC
Verified using nightly build:
ipa-4.10.2-2.el9

test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault PASSED [ 50%]
test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithKRA::test_no_error_message_with_uninstall_ipa_with_kra PASSED [100%]

----------- generated html file: file:///home/cloud-user/report.html -----------
================== 2 passed, 1 warning in 1123.16s (0:18:43) ===================

Comment 17 errata-xmlrpc 2023-11-07 08:34:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6477


Note You need to log in before you can comment on or make changes to this bug.