Hide Forgot
Description of problem: Initial install adds a cert. But since this cert is not removed by an uninstall, subsequent installs though successful, throw an error: certmonger request for host certificate failed On first install, debug indicates: root : DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM root : DEBUG stdout=New signing request "20110301182803" added. Next uninstall, stderr has no errors and debug includes the below: root : DEBUG stderr= root : DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm root : DEBUG stdout= root : DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - rhel61-client.testrelm : File not found. Subsequent installs.... stderr has: certmonger request for host certificate failed debug has: root : DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM root : DEBUG stdout=Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request "20110301182803". root : DEBUG stderr= certmonger request for host certificate failed Version-Release number of selected component (if applicable): ipa-client-2.0.0-13.el6.x86_64 How reproducible: on all subsequent installs Steps to Reproduce: 1.ipa-client-install 2.ipa-client-uninstall 3.ipa-client-install Actual results: error: certmonger request for host certificate failed Expected results: no error Additional info: # certutil -K -d /etc/pki/nssdb/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 99850cc3f9fdfdca4c8865810f8ba841bcdd71e9 IPA Machine Certificate – rhel61-client.testrelm # certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI IPA CA CT,C,C
https://fedorahosted.org/freeipa/ticket/1028
Can you attach /var/log/ipaclient-install.log and /var/log/ipaclient-uninstall.log? If this is easily reproducable can you: 0. Make sure certmonger isn't already tracking any certs 1. ipa-client-install <options> 2. ipa-getcert list 3. ipa-client-install --uninstall 4. service certmonger start 5. ipa-getcert list And attach the client install/uninstall log and the output from the two ipa-getcert commands?
Created attachment 481864 [details] Install log
Created attachment 481865 [details] Uninstall log
After install: output for: ipa-getcert list [root@rhel61-client ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20110301182803': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm,token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes After uninstall: output for: ipa-getcert list [root@rhel61-client ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20110301182803': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm,token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname=IPA Machine Certificate - rhel61-client.testrelm CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes
I see what the problem is. We only stop tracking the request if it has been issued. In ipa-client-install look for: if nickname_exists(client_nss_nickname): ... We only want to try to remove the cert if it exists but we always want to call certmonger.stop_tracking (I think). It should handle cases where the cert isn't requested, requested but not issued or issued.
master: 61d70657ab93bb4ce74013dcfef9b9592460caaf
Verified. Install doesn't display the error anymore, and debug logs have: 2011-03-11 07:49:26,434 DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - rhel61-client.testrelm -N CN=rhel61-client.testrelm,O=TESTRELM -K host/rhel61-client.testrelm@TESTRELM 2011-03-11 07:49:26,435 DEBUG stdout=New signing request "20110311124926" added. And uninstall logs have: 2011-03-11 07:49:05,354 DEBUG args=/usr/bin/ipa-getcert stop-tracking -i 20110311124853 2011-03-11 07:49:05,355 DEBUG stdout=Request "20110311124853" removed. verified with: ipa-client-2.0.0-13.20110310T0728zgited5cffd.el6.x86_64
not getting "Verified" as a status option..changing to "Modified"
per comment 10 - setting bug status to verified.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0631.html