681334 – Uninstalling ipa-client doesn't remove cert

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 681334 - Uninstalling ipa-client doesn't remove cert

Summary: Uninstalling ipa-client doesn't remove cert

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	beta
Target Release:	6.1
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-01 19:47 UTC by Namita Soman
Modified:	2018-12-02 15:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-2.0.0-14.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 13:44:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Install log (10.73 KB, application/octet-stream) 2011-03-02 13:37 UTC, Namita Soman	no flags	Details
Uninstall log (7.48 KB, application/octet-stream) 2011-03-02 13:37 UTC, Namita Soman	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2011:0631	0	normal	SHIPPED_LIVE	new package: ipa	2011-05-18 17:55:55 UTC

Description Namita Soman 2011-03-01 19:47:14 UTC

Description of problem:
Initial install adds a cert. But since this cert is not removed by an uninstall, subsequent installs though successful, throw an error: 
certmonger request for host certificate failed


On first install, debug indicates:
root        : DEBUG    args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM 
root        : DEBUG    stdout=New signing request "20110301182803" added. 



Next uninstall, stderr has no errors and debug includes the below:
root        : DEBUG    stderr=

root        : DEBUG    args=/usr/bin/certutil -L -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm

root        : DEBUG    stdout=

root        : DEBUG    stderr=certutil: Could not find cert: IPA Machine Certificate - rhel61-client.testrelm

: File not found.


 

Subsequent installs....
stderr has:
certmonger request for host certificate failed
debug has:
root        : DEBUG    args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM
root        : DEBUG    stdout=Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request "20110301182803".

root        : DEBUG    stderr=
certmonger request for host certificate failed




Version-Release number of selected component (if applicable):
ipa-client-2.0.0-13.el6.x86_64

How reproducible:
on all subsequent installs


Steps to Reproduce:
1.ipa-client-install
2.ipa-client-uninstall
3.ipa-client-install
  
Actual results:
error: certmonger request for host certificate failed

Expected results:
no error


Additional info:
# certutil -K -d /etc/pki/nssdb/ 

certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"

< 0> rsa      99850cc3f9fdfdca4c8865810f8ba841bcdd71e9   IPA Machine Certificate – rhel61-client.testrelm




# certutil -L  -d /etc/pki/nssdb/ 



Certificate Nickname                                         Trust Attributes

                                                             SSL,S/MIME,JAR/XPI



IPA CA                                                       CT,C,C

Comment 1 Dmitri Pal 2011-03-01 20:03:30 UTC

https://fedorahosted.org/freeipa/ticket/1028

Comment 3 Rob Crittenden 2011-03-01 21:27:11 UTC

Can you attach /var/log/ipaclient-install.log and  /var/log/ipaclient-uninstall.log?

If this is easily reproducable can you:

0. Make sure certmonger isn't already tracking any certs
1. ipa-client-install <options>
2. ipa-getcert list
3. ipa-client-install --uninstall
4. service certmonger start
5. ipa-getcert list

And attach the client install/uninstall log and the output from the two ipa-getcert commands?

Comment 4 Namita Soman 2011-03-02 13:37:25 UTC

Created attachment 481864 [details]
Install log

Comment 5 Namita Soman 2011-03-02 13:37:59 UTC

Created attachment 481865 [details]
Uninstall log

Comment 6 Namita Soman 2011-03-02 13:40:11 UTC

After install:
output for: ipa-getcert list
[root@rhel61-client ~]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20110301182803':
	status: NEED_TO_SUBMIT
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm,token='NSS Certificate DB'
	certificate: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm
	CA: IPA
	issuer: 
	subject: 
	expires: unknown
	track: yes
	auto-renew: yes



After uninstall:
output for: ipa-getcert list
[root@rhel61-client ~]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20110301182803':
	status: NEED_TO_SUBMIT
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm,token='NSS Certificate DB'
	certificate: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm
	CA: IPA
	issuer: 
	subject: 
	expires: unknown
	track: yes
	auto-renew: yes

Comment 7 Rob Crittenden 2011-03-02 13:58:10 UTC

I see what the problem is. We only stop tracking the request if it has been issued.

In ipa-client-install look for:

    if nickname_exists(client_nss_nickname):
    ...

We only want to try to remove the cert if it exists but we always want to call certmonger.stop_tracking (I think). It should handle cases where the cert isn't requested, requested but not issued or issued.

Comment 8 Dmitri Pal 2011-03-08 22:11:03 UTC

master: 61d70657ab93bb4ce74013dcfef9b9592460caaf

Comment 10 Namita Soman 2011-03-11 12:52:41 UTC

Verified.

Install doesn't display the error anymore, and debug logs have:
2011-03-11 07:49:26,434 DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM
2011-03-11 07:49:26,435 DEBUG stdout=New signing request "20110311124926" added.

And uninstall logs have:
2011-03-11 07:49:05,354 DEBUG args=/usr/bin/ipa-getcert stop-tracking -i 20110311124853
2011-03-11 07:49:05,355 DEBUG stdout=Request "20110311124853" removed.

verified with:
ipa-client-2.0.0-13.20110310T0728zgited5cffd.el6.x86_64

Comment 11 Namita Soman 2011-03-11 16:06:50 UTC

not getting "Verified" as a status option..changing to "Modified"

Comment 13 Jenny Severance 2011-03-11 16:42:30 UTC

per comment 10 - setting bug status to verified.

Comment 14 errata-xmlrpc 2011-05-19 13:44:33 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0631.html

Note You need to log in before you can comment on or make changes to this bug.