When removing Subordinate CA from Security Domain, the below warnings are displayed.
Loading deployment configuration from /var/lib/pki/example-subca1/ca/registry/ca/deployment.cfg. Uninstalling CA from /var/lib/pki/example-subca1. pkidestroy : WARNING ....... this 'CA' entry may not be registered with security domain 'Example Org'! pkidestroy : ERROR ....... updateDomainXML FAILED to delete this 'CA' entry from security domain 'Example Org': '['Error: Not authenticated']'
Uninstallation complete.
Steps to Reproduce:
1.Setup Root CA using below configuration [DEFAULT] pki_instance_name=example pki_https_port=8443 pki_http_port=8080 #NSS DB Token Password pki_token_password=Secret123 #Admin Password pki_admin_password=Secret123 #Security Domain pki_hostname=pki2.example.org pki_security_domain_name=Example Org pki_security_domain_password=Secret123 #client Dir pki_client_dir=/opt/example pki_client_pkcs12_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=8009 pki_tomcat_server_port=8005 [CA] pki_import_admin_cert=False pki_ds_hostname=localhost pki_ds_ldap_port=389 pki_ds_password=Secret123 $pkispawn -s CA -f ca_inst.inf -vv 2. Setup Subordinate CA on the same host using different tomcat instance. [DEFAULT] pki_instance_name=example-subca1 pki_https_port=31000 pki_http_port=31001 #NSS DB Token Password pki_token_password=Secret123 #Admin Password pki_admin_password=Secret123 #Security Domain pki_security_domain_hostname=pki2.example.org pki_security_domain_https_port=8443 pki_security_domain_user=caadmin pki_security_domain_password=Secret123 #client Dir pki_client_dir=/opt/example-subca1 pki_client_pkcs12_password=Secret123 pki_client_database_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=31002 pki_tomcat_server_port=31003 [CA] pki_subordinate=True pki_import_admin_cert=False pki_ds_hostname=localhost pki_ds_ldap_port=1906 pki_ds_password=Secret123 pki_issuing_ca=https://pki2.example.org:8443 pki_ca_signing_subject_dn=cn=CA Subordinate Signing,O=Example Org 3. Run pki securitydomain-show to verify if subordinate CA joined the security domain [root@pki2 ~]# pki -d /etc/pki/nssdb/ -h pki2.example.org securitydomain-show Domain: Example Org CA Subsystem: Host ID: CA pki2.example.org 8443 Hostname: pki2.example.org Port: 8080 Secure Port: 8443 Domain Manager: TRUE Host ID: CA pki2.example.org 31000 Hostname: pki2.example.org Port: 31001 Secure Port: 31000 Domain Manager: FALSE 3.Remove the Subordinate CA instance from the security Domain. $pkidestroy -i example-subca1 -u caadmin -W /tmp/password -s CA -vv
Actual results:
Subordinate CA information is not removed from security Domain
Expected results:
Subordinate CA information should be removed from security Domain
Additional info:
Created attachment https://bugzilla.redhat.com/attachment.cgi?id=1044925 pkidestroy CA debug log
Per CS/DS Meeting of 07/06/2015: 10.2.6
Needs Investigation.
The error does not seem to be happening in the latest build, but I did see it too in the past, so it's probably fixed in a recent patch. Please retest with the latest build. Thanks.
Closing the ticket for now. Please reopen if it's still happening in 10.2.6.
Metadata Update from @mrniranjan: - Issue assigned to edewata - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2015
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.