948993 – certmonger failing after IPA uninstall and reinstall

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 948993 - certmonger failing after IPA uninstall and reinstall

Summary: certmonger failing after IPA uninstall and reinstall

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Kaleem
Docs Contact:
URL:	http://git.fedorahosted.org/cgit/cert...
Whiteboard:
Depends On:
Blocks:	1056252 1061410
TreeView+	depends on / blocked

Reported:	2013-04-05 15:36 UTC by Scott Poore
Modified:	2014-10-14 07:12 UTC (History)
CC List:	9 users (show)
Fixed In Version:	certmonger-0.75.5-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-14 07:12:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1512	0	normal	SHIPPED_LIVE	certmonger bug fix and enhancement update	2014-10-14 01:22:25 UTC

Description Scott Poore 2013-04-05 15:36:17 UTC

Description of problem:

certmonger is not working properly after IPA uninstall and reinstall.  I'm seeing this after upgrading IPA upgrade to RHEL6.4, uninstall, then attempt to re-install:

root        : ERROR    certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-TESTRELM-COM/ -n Server-Cert -p /etc/dirsrv/slapd-TESTRELM-COM//pwdfile.txt' returned non-zero exit status 1

root        : ERROR    certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA/ -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' returned non-zero exit status 1

When troubleshooting the issue, I find that certmonger at this point isn't running cleanly:

[root@rhel6-1 cas]# service certmonger start

[root@rhel6-1 cas]# service certmonger status
certmonger (pid  1237) is running...

[root@rhel6-1 cas]# getcert list
Number of certificates and requests being tracked: 0.

[root@rhel6-1 cas]# getcert list-cas
Please verify that the certmonger service is still running.

[root@rhel6-1 cas]# find /var/lib/certmonger/ -ls
  5008    4 drwxr-xr-x   4 root     root         4096 Apr  4 22:09 /var/lib/certmonger/
  5152    4 drwxr-xr-x   2 root     root         4096 Apr  5 10:57 /var/lib/certmonger/requests
  5019    4 drwxr-xr-x   2 root     root         4096 Apr  5 10:52 /var/lib/certmonger/cas
   110    4 -rw-------   1 root     root          108 Apr  5 10:52 /var/lib/certmonger/cas/20130405000552-2
  6229    4 -rw-------   1 root     root           72 Apr  5 10:52 /var/lib/certmonger/cas/20130405000552
    87    4 -rw-------   1 root     root           94 Apr  5 10:52 /var/lib/certmonger/cas/20130405000552-1
  4775    4 -rw-------   1 root     root          132 Apr  5 10:52 /var/lib/certmonger/cas/20130405011928

[root@rhel6-1 cas]# service certmonger status
certmonger dead but pid file exists

[root@rhel6-1 cas]# for file in $(ls); do
> echo "============= $file ============="
> cat $file
> done
============= 20130405000552 =============
id=SelfSign
ca_is_default=0
ca_type=INTERNAL:SELF
ca_internal_serial=01
============= 20130405000552-1 =============
id=IPA
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/ipa-submit
============= 20130405000552-2 =============
id=certmaster
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/certmaster-submit
============= 20130405011928 =============
id=dogtag-ipa-renew-agent
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit


Version-Release number of selected component (if applicable):
certmonger-0.61-3.el6.x86_64 after final upgrade
certmonger-0.50-3.el6.x86_64 after re-install

How reproducible:
very to always


Steps to Reproduce:
1.  Install IPA on RHEL6.2
2.  point to RHEL6.3 repo and run:  yum -y update "ipa-*"
3.  point to RHEL6.4 repo and run:  yum  -y update "ipa-*"
4.  ipa-server-install --uninstall -U
5.  remove RHEL6.3 and 6.4 repo configs
6.  uninstall/downgrade back to 6.2 version of RPMs
7.  re-install IPA on 6.2

Actual results:

Certmonger errors during ipa-server-install when being re-installed.  Also certmonger doesn't continue to run.

Expected results:

No problems.


Additional info:

If I remove all of /var/lib/certmonger after the certmonger rpm is removed and before the re-install, it works fine.

Notes on how I'm uninstalling/reinstalling:
##### uninstall:

ipa-server-install --uninstall -U

/bin/rm -rf /var/lib/ipa/
/bin/rm -rf /var/lib/sss/
/bin/rm -rf /usr/share/ipa
/bin/rm -rf /var/log/dirsrv/*
/bin/rm -f /tmp/krb5cc_0
/bin/rm -f /tmp/krb5cc_48
/bin/rm -f /etc/ipa/ca.crt
/bin/rm -f /etc/krb5.keytab

yum -y remove 'ipa*' '389-ds-base*' bind krb5-workstation bind-dyndb-ldap krb5-pkinit-openssl httpd httpd-tools

yum -y remove sssd libipa_hbac krb5-server certmonger slapi-nis sssd-client 'pki*' 'tomcat6*' mod_nss

yum -y remove memcached python-memcached

yum -y remove libldb libsss_autofs

yum -y downgrade krb5-devel krb5-libs 'bind-*'

yum -y downgrade curl 'nss*' 'openldap*' 'libselinux*' 'nspr*' 'libcurl*'

##### reinstall

yum -y install bind expect krb5-workstation bind-dyndb-ldap krb5-pkinit-openssl nmap

yum install ipa-server

ipa-server-install -U --setup-dns --forwarder=$DNSFORWARD --hostname=$MASTER_S.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW

Comment 1 Rob Crittenden 2013-04-05 17:31:53 UTC

When I tested this on Scott's machine what I saw was that list-cas caused it to fail.

I could list requests and start/stop tracking of certs but not list the CAs.

I stopped my investigation at that point.

Comment 2 Nalin Dahyabhai 2013-04-05 18:39:42 UTC

There are two things going on here.

The first is a bug that happens when certmonger reconnects to the system message bus, which it's only able to do so because it marks its original connection with the "don't exit on disconnect" flag.  It fails to mark the new connection with the same flag, so if it's disconnected a second time, it exits.  This will be fixed upstream shortly.

The second is that before 0.51, the identifiers for CAs and certificate requests were incorporated into the names which were assigned to them when they were exposed via D-Bus as part of the API which certmonger provides to its clients (getcert is such a client).  However, the name "dogtag-ipa-renew-agent" is not part of a valid object name as far as D-Bus is concerned, so when a client asked it for a list of known CAs, and certmonger attempted to respond with a list of their object names, the message bus daemon would notice that the reply message included invalid data and would drop certmonger.  This was fixed upstream in version 0.51, so versions of the package in EL 6.3 and later didn't suffer from it.

When the second bug was triggered, the first bug was triggered, and if the second bug was triggered again, the service would be stopped, and that's what's happening here.  The patch for it is pretty trivial, so I'll leave this one open to track the first bug, as the second one is already fixed.

Comment 3 Scott Poore 2013-04-26 18:01:54 UTC

So it's that one dogtag-ipa-renew-agent name causing all to be dropped and then certmonger stopped?  

Should those files have been left behind after uninstall/downgrade I did?  Or should they have been cleaned up by the rpm removal?

Can I test for this bug with something like this:

After uninstall:

grep id=dogtag-ipa-renew-agent /var/lib/certmonger/cas/*

If it's found, and version is < 0.51, then, we've hit this bug?


Thanks,
Scott

Comment 4 Rob Crittenden 2013-04-26 18:15:42 UTC

IPA should probably remove this file on uninstall.

Comment 5 Scott Poore 2013-05-24 23:34:49 UTC

Resetting priority/severity back to medium as I just realized I accidentally unset that.

Comment 6 Nalin Dahyabhai 2013-07-30 15:54:40 UTC

(In reply to Scott Poore from comment #3)
> So it's that one dogtag-ipa-renew-agent name causing all to be dropped and
> then certmonger stopped?  
> 
> Should those files have been left behind after uninstall/downgrade I did? 
> Or should they have been cleaned up by the rpm removal?
> 
> Can I test for this bug with something like this:
> 
> After uninstall:
> 
> grep id=dogtag-ipa-renew-agent /var/lib/certmonger/cas/*
> 
> If it's found, and version is < 0.51, then, we've hit this bug?

Yes.  6.4 went out with 0.61, so what exactly are the expectations here?

Comment 7 Scott Poore 2013-07-30 17:26:44 UTC

I was looking for a way to confirm if the bug is seen.  My upgrade testing can start on older versions of RHEL.  So the re-install can occur on an older version of RHEL 6.  I'm just looking to see if there's an easy way to flag this when it is seen.

So, the newer version of certmonger does cleanup of the file with id=dogtag-ipa-renew-agent now or this is something that ipa should handle?  Or does it handle this now?

Thanks

Comment 8 Nalin Dahyabhai 2014-06-20 21:39:17 UTC

The packaging starting with 0.75.5 should remove the dogtag-ipa-renew-cert CA when it detects a version older than 0.58 being installed.

Comment 10 Scott Poore 2014-07-02 14:32:02 UTC

Nalin,

So to do the test for this bug, will this process work:

upgrade from 6.3 to 6.6
uninstall
reinstall 6.3

And this should no longer be triggered right?

The uninstall step should now clean up or will it still leave things in a state that is expected to show this bug on the reinstall of IPA for the  RHEL6.3 version?

Thanks,
Scott

Comment 11 Nalin Dahyabhai 2014-07-02 16:02:21 UTC

If you're doing a from-scratch reinstall of the OS, you wouldn't have been hitting this problem.  The newer package notices when it's being downgraded to an older version, and removes its record of the CA that the older version won't be able to handle after the downgrade completes.  (If the packages is being removed entirely, then the older version installed rather than downgraded, then the newer package won't be able to do anything to help.)

Comment 12 Scott Poore 2014-07-02 17:29:34 UTC

Not from scratch reinstall.  Sorry, wasn't clear there.  The upgrade/uninstall/reinstall refers to ipa and related components' rpms.

And, as of right now, certmonger is completely removed by the test scripts during the uninstall step.  It's not downgraded.  So removal still leaves things behind that the older version will have a problem with in this case?

However, it sounds like I should now be able to move certmonger from full remove to a downgrade and no longer see a problem?  well for downgrades from this fixed version to the older?

Comment 13 Nalin Dahyabhai 2014-07-02 21:36:46 UTC

(In reply to Scott Poore from comment #12)
> Not from scratch reinstall.  Sorry, wasn't clear there.  The
> upgrade/uninstall/reinstall refers to ipa and related components' rpms.
> 
> And, as of right now, certmonger is completely removed by the test scripts
> during the uninstall step.  It's not downgraded.  So removal still leaves
> things behind that the older version will have a problem with in this case?

Yes.  I guess we could do this on post-uninstalls too, but how would we know we should even bother?

> However, it sounds like I should now be able to move certmonger from full
> remove to a downgrade and no longer see a problem?  well for downgrades from
> this fixed version to the older?

Yes.

Comment 14 Scott Poore 2014-07-07 02:15:19 UTC

I have confirmed the same failure with downgrade from 6.5 version of IPA and certmonger back to 6.2 and then re-installed:

root        : ERROR    certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/httpd/alias -n
Server-Cert -p /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 1

Now cleanup reinstall 6.2 version and incrementally upgraded to 6.6 including certmonger:

[root@nocp12 ~]# rpm -q certmonger
certmonger-0.75.6-1.el6.x86_64

But, When I uninstall/reinstall there, I now see a client install error during the ipa-server-install:

+ ipa-server-install -r EXAMPLE.COM -p Secret123 -a Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

The domain name has been calculated based on the host name.

The IPA Master Server will be configured with
Hostname:    zippyvm1.$DOMAIN
IP address:  10.8.60.60
Domain name: $DOMAIN

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
  [4/17]: disabling nonces
  [5/17]: creating CA agent PKCS#12 file in /root
  [6/17]: creating RA agent certificate database
  [7/17]: importing CA chain to RA certificate database
  [8/17]: fixing RA database permissions
  [9/17]: setting up signing cert profile
  [10/17]: set up CRL publishing
  [11/17]: set certificate subject base
  [12/17]: configuring certificate server to start on boot
  [13/17]: restarting certificate server
  [14/17]: requesting RA certificate from CA
  [15/17]: issuing RA agent certificate
  [16/17]: adding RA agent as a trusted user
  [17/17]: Configure HTTP to proxy connections
done configuring pki-cad.
Configuring directory server: Estimated time 1 minute
  [1/35]: creating directory server user
  [2/35]: creating directory server instance
  [3/35]: adding default schema
  [4/35]: enabling memberof plugin
  [5/35]: enabling referential integrity plugin
  [6/35]: enabling winsync plugin
  [7/35]: configuring replication version plugin
  [8/35]: enabling IPA enrollment plugin
  [9/35]: enabling ldapi
  [10/35]: configuring uniqueness plugin
  [11/35]: configuring uuid plugin
  [12/35]: configuring modrdn plugin
  [13/35]: enabling entryUSN plugin
  [14/35]: configuring lockout plugin
  [15/35]: creating indices
  [16/35]: configuring ssl for ds instance
  [17/35]: configuring certmap.conf
  [18/35]: configure autobind for root
  [19/35]: configure new location for managed entries
  [20/35]: restarting directory server
  [21/35]: adding default layout
  [22/35]: adding delegation layout
  [23/35]: adding replication acis
  [24/35]: creating container for managed entries
  [25/35]: configuring user private groups
  [26/35]: configuring netgroups from hostgroups
  [27/35]: creating default Sudo bind user
  [28/35]: creating default Auto Member layout
  [29/35]: creating default HBAC rule allow_all
  [30/35]: initializing group membership
  [31/35]: adding master entry
  [32/35]: configuring Posix uid/gid generation
  [33/35]: enabling compatibility plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
  [34/35]: tuning directory server
  [35/35]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/14]: setting KDC account password
  [2/14]: adding sasl mappings to the directory
  [3/14]: adding kerberos entries to the DS
  [4/14]: adding default ACIs
  [5/14]: configuring KDC
  [6/14]: adding default keytypes
  [7/14]: adding default password policy
  [8/14]: creating a keytab for the directory
  [9/14]: creating a keytab for the machine
  [10/14]: exporting the kadmin keytab
  [11/14]: adding the password extension to the directory
  [12/14]: adding the kerberos master key to the directory
  [13/14]: starting the KDC
  [14/14]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring ipa_kpasswd
  [1/2]: starting ipa_kpasswd 
  [2/2]: configuring ipa_kpasswd to start on boot
done configuring ipa_kpasswd.
Configuring the web interface: Estimated time 1 minute
  [1/13]: disabling mod_ssl in httpd
  [2/13]: setting mod_nss port to 443
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: setting up browser autoconfig
  [9/13]: publish CA cert
  [10/13]: creating a keytab for httpd
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.FS8AV6.db
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain $DOMAIN --server zippyvm1.$DOMAIN --realm
EXAMPLE.COM --hostname zippyvm1.$DOMAIN' returned non-zero exit status 1



From ipaserver-install.log:

2014-07-06 21:40:18,296 DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain $DOMAIN --server
zippyvm1.$DOMAIN --realm EXAMPLE.COM --hostname zippyvm1.$DOMAIN
2014-07-06 21:40:18,296 DEBUG stdout=ESC[?1034hDiscovery was successful!
Hostname: zippyvm1.$DOMAIN
Realm: EXAMPLE.COM
DNS Domain: $DOMAIN
IPA Server: zippyvm1.$DOMAIN
BaseDN: dc=example,dc=com


New SSSD config will be created.

2014-07-06 21:40:18,296 DEBUG stderr=DNS domain 'example.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1292, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1279, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1119, in install
    if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
  File "/usr/sbin/ipa-client-install", line 692, in configure_sssd_conf
    del sssdconfig
UnboundLocalError: local variable 'sssdconfig' referenced before assignment

It should be noted in this example test is run from:

ipa-server-install -r EXAMPLE.COM -p Secret123 -a Secret123 -U

So, no DNS and the realm differs from the DNS domain.

Comment 15 Nalin Dahyabhai 2014-07-07 13:50:44 UTC

(In reply to Scott Poore from comment #14)
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-client-install", line 1292, in <module>
>     sys.exit(main())
>   File "/usr/sbin/ipa-client-install", line 1279, in main
>     rval = install(options, env, fstore, statestore)
>   File "/usr/sbin/ipa-client-install", line 1119, in install
>     if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
> options):
>   File "/usr/sbin/ipa-client-install", line 692, in configure_sssd_conf
>     del sssdconfig
> UnboundLocalError: local variable 'sssdconfig' referenced before assignment

It doesn't seem likely that changes to certmonger would cause this.  Does it still happen if the version of the certmonger package is left unchanged during the test?

Comment 16 Scott Poore 2014-07-07 16:14:10 UTC

Yeah, I didn't think so but, thought I'd report it here since this is where I saw it and I wasn't sure if I was hitting something related here or something else.

I did test again (I hope) as suggested.  I installed on 6.2.  Updated ipa/certmonger components to rhel6.6 versions.  I uninstalled/downgraded as described earlier but, this time I left the newer versions of certmonger/nss/nspr:

certmonger-0.75.6-1.el6.x86_64
nss-3.16.1-8.el6.x86_64
nspr-4.10.6-1.el6.x86_64

I did see the same results where ipa-client-install of ipa-server-install (reinstall) failed.

So at this point, I guess I take that over to a different bug.

Do I have enough yet though to verify this bug as no longer occurring since I did not see the initially reported error when I tested in comment #14?

Thanks

Comment 17 Scott Poore 2014-07-07 18:40:19 UTC

Verified.

Version ::

certmonger.x86_64 0:0.75.6-1.el6 

Results ::

* Installed RHEL6.2 version of IPA and Certmonger.

* Upgraded to RHEL6.6 version of IPA and Certmonger.

* Uninstalled IPA server

[root@zippyvm4 bz948993]# ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA directory server
Unconfiguring CA
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring directory server
Unconfiguring ipa_memcached

[root@zippyvm4 bz948993]# yum -y remove 'ipa*' '389-ds-base*' bind krb5-workstation bind-dyndb-ldap krb5-pkinit-openssl httpd httpd-tools
...
Complete!

[root@zippyvm4 bz948993]# 

[root@zippyvm4 bz948993]# yum -y remove sssd libipa_hbac krb5-server slapi-nis sssd-client 'pki*' 'tomcat6*' mod_nss
...      

Complete!


[root@zippyvm4 bz948993]# service certmonger status
certmonger is stopped
[root@zippyvm4 bz948993]# grep id=dogtag-ipa-renew-agent /var/lib/certmonger/cas/*
/var/lib/certmonger/cas/20140707173619:id=dogtag-ipa-renew-agent
[root@zippyvm4 bz948993]# 
[root@zippyvm4 bz948993]# 
[root@zippyvm4 bz948993]# 
[root@zippyvm4 bz948993]# 
[root@zippyvm4 bz948993]# 
[root@zippyvm4 bz948993]# 
[root@zippyvm4 bz948993]# 
[root@zippyvm4 bz948993]# yum -y downgrade certmonger 
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
Setting up Downgrade Process
Resolving Dependencies
--> Running transaction check
---> Package certmonger.x86_64 0:0.50-3.el6 will be a downgrade
---> Package certmonger.x86_64 0:0.75.6-1.el6 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                 Arch                Version                  Repository                  Size
=======================================================================================================
Downgrading:
 certmonger              x86_64              0.50-3.el6               beaker-Server              203 k

Transaction Summary
=======================================================================================================
Downgrade     1 Package(s)

Total download size: 203 k
Downloading Packages:
certmonger-0.50-3.el6.x86_64.rpm                                                | 203 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : certmonger-0.50-3.el6.x86_64                                                        1/2 
  Cleanup    : certmonger-0.75.6-1.el6.x86_64                                                      2/2 
Installed products updated.

Removed:
  certmonger.x86_64 0:0.75.6-1.el6                                                                     

Installed:
  certmonger.x86_64 0:0.50-3.el6                                                                       

Complete!

[root@zippyvm4 bz948993]# grep id=dogtag-ipa-renew-agent /var/lib/certmonger/cas/*
[root@zippyvm4 bz948993]# 

So, I can see that the patch removes the problem entry.


### Also with the addition of some new cleanup steps in uninstall phase, I was able to get a good re-install:

[root@zippyvm4 bz948993]# ipa-server-install -r EXAMPLE.COM -p Secret123 -a Secret123 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

The domain name has been calculated based on the host name.

The IPA Master Server will be configured with
Hostname:    zippyvm4.idm.lab.eng.rdu2.redhat.com
IP address:  10.8.60.63
Domain name: idm.lab.eng.rdu2.redhat.com

Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 3 minutes 30 seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
  [4/17]: disabling nonces
  [5/17]: creating CA agent PKCS#12 file in /root
  [6/17]: creating RA agent certificate database
  [7/17]: importing CA chain to RA certificate database
  [8/17]: fixing RA database permissions
  [9/17]: setting up signing cert profile
  [10/17]: set up CRL publishing
  [11/17]: set certificate subject base
  [12/17]: configuring certificate server to start on boot
  [13/17]: restarting certificate server
  [14/17]: requesting RA certificate from CA
  [15/17]: issuing RA agent certificate
  [16/17]: adding RA agent as a trusted user
  [17/17]: Configure HTTP to proxy connections
done configuring pki-cad.
Configuring directory server: Estimated time 1 minute
  [1/35]: creating directory server user
  [2/35]: creating directory server instance
  [3/35]: adding default schema
  [4/35]: enabling memberof plugin
  [5/35]: enabling referential integrity plugin
  [6/35]: enabling winsync plugin
  [7/35]: configuring replication version plugin
  [8/35]: enabling IPA enrollment plugin
  [9/35]: enabling ldapi
  [10/35]: configuring uniqueness plugin
  [11/35]: configuring uuid plugin
  [12/35]: configuring modrdn plugin
  [13/35]: enabling entryUSN plugin
  [14/35]: configuring lockout plugin
  [15/35]: creating indices
  [16/35]: configuring ssl for ds instance
  [17/35]: configuring certmap.conf
  [18/35]: configure autobind for root
  [19/35]: configure new location for managed entries
  [20/35]: restarting directory server
  [21/35]: adding default layout
  [22/35]: adding delegation layout
  [23/35]: adding replication acis
  [24/35]: creating container for managed entries
  [25/35]: configuring user private groups
  [26/35]: configuring netgroups from hostgroups
  [27/35]: creating default Sudo bind user
  [28/35]: creating default Auto Member layout
  [29/35]: creating default HBAC rule allow_all
  [30/35]: initializing group membership
  [31/35]: adding master entry
  [32/35]: configuring Posix uid/gid generation
  [33/35]: enabling compatibility plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
  [34/35]: tuning directory server
  [35/35]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/14]: setting KDC account password
  [2/14]: adding sasl mappings to the directory
  [3/14]: adding kerberos entries to the DS
  [4/14]: adding default ACIs
  [5/14]: configuring KDC
  [6/14]: adding default keytypes
  [7/14]: adding default password policy
  [8/14]: creating a keytab for the directory
  [9/14]: creating a keytab for the machine
  [10/14]: exporting the kadmin keytab
  [11/14]: adding the password extension to the directory
  [12/14]: adding the kerberos master key to the directory
  [13/14]: starting the KDC
  [14/14]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring ipa_kpasswd
  [1/2]: starting ipa_kpasswd 
  [2/2]: configuring ipa_kpasswd to start on boot
done configuring ipa_kpasswd.
Configuring the web interface: Estimated time 1 minute
  [1/13]: disabling mod_ssl in httpd
  [2/13]: setting mod_nss port to 443
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: setting up browser autoconfig
  [9/13]: publish CA cert
  [10/13]: creating a keytab for httpd
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.cDoA2x.db
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@zippyvm4 bz948993]# 

[root@zippyvm4 bz948993]# rpm -q ipa-server certmonger
ipa-server-2.1.3-9.el6.x86_64
certmonger-0.50-3.el6.x86_64
[root@zippyvm4 bz948993]# kinit admin
Password for admin: 
[root@zippyvm4 bz948993]# ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1464800000
  GID: 1464800000
  Account disabled: False
  Keytab: True
  Password: True
----------------------------
Number of entries returned 1
----------------------------
[root@zippyvm4 bz948993]#

Comment 19 errata-xmlrpc 2014-10-14 07:12:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1512.html

Note You need to log in before you can comment on or make changes to this bug.