#1704 After uninstalling all KRA instances, dogtag still returns info that KRA instance exists somewhere
Closed: Fixed None Opened 8 years ago by mbasti.


in IPA project we hit this bug https://fedorahosted.org/freeipa/ticket/5469

When all KRA instances are uninstalled, following method, 'is_installing_replica', still returns True, what in IPA context means that KRA still exists on any server

def get_security_domain():
    Get the security domain from the REST interface on the local Dogtag CA
    This function will succeed if the local dogtag CA is up.
    connection = PKIConnection()
    domain_client = pki.system.SecurityDomainClient(connection)
    info = domain_client.get_security_domain_info()
    return info

def is_installing_replica(sys_type):
    We expect only one of each type of Dogtag subsystem in an IPA deployment.
    That means that if a subsystem of the specified type has already been
    deployed - and therefore appears in the security domain - then we must be
    installing a replica.
    info = get_security_domain()
        sys_list = info.systems[sys_type]
        return len(sys_list.hosts) > 0
    except KeyError:
        return False

sys_type = "KRA"
>>> print(repr(sys_list.hosts))
{u'KRA vm-058-094.example.com 443': <pki.system.SecurityDomainHost object at 0x7f95171b9510>}

Uninstallation of KRA is done with following command:

pkidestroy -i pki-tomcat -s KRA

This is reproducible with just one server too:

ipa-kra-install --uninstall

Let me know if you need additional info.

The uninstaller fails to remove the security domain information from LDAP. We suspect that the sslget call is wrong. I haven't figured out the correct call yet.

2015-11-25 19:10:57 pkidestroy  : WARNING  ....... Failed to deregister KRA connector vm-058-094.abc.idm.lab.eng.brq.redhat.com:443 from CA vm-058-094.abc.i
2015-11-25 19:10:57 pkidestroy  : INFO     ....... contacting the security domain master to update security domain 'IPA'
2015-11-25 19:10:57 pkidestroy  : WARNING  ....... this 'KRA' entry will NOT be deleted from security domain 'IPA'!
2015-11-25 19:10:57 pkidestroy  : WARNING  ....... security domain 'IPA' may be offline or unreachable!
2015-11-25 19:10:57 pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', '-p', '93
8967013969', '-d', '/etc/pki/pki-tomcat/alias', '-e', 'name="/var/lib/pki/pki-tomcat"&type=KRA&list=kraList&host=vm-058-094.abc.idm.lab.eng.brq.redhat.com&s
port=443&ncsport=443&adminsport=443&agentsport=443&operation=remove', '-v', '-r', '/ca/agent/ca/updateDomainXML', 'vm-058-094.abc.idm.lab.eng.brq.redhat.com
:443']' returned non-zero exit status 3!

I was able to install KRA again after I removed the security domain for the KRA instance:

ldapdelete -H ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket "cn=vm-058-094.abc.idm.lab.eng.brq.redhat.com:443,cn=KRAList,ou=Security Domain,o=ipaca"

sslget fails with a HTTP/1.1 400 Bad Request. Apache error log contains this line:

[Wed Nov 25 19:57:02.505877 2015] [:error] [pid 12657] Hostname vm-058-094.abc.idm.lab.eng.brq.redhat.com 
provided via SNI, but no hostname provided in HTTP request

It looks like a bug in sslget. It doesn't set a Hostname header.

The problem seems to be limit to Fedora. I wasn't able to reproduce the issue on a fresh RHEL 7.2 server. ipa-kra-install --uninstall sucessfully removed the KRA entry from LDAP.

Per CS/DS meeting of 11/30/2015 - 10.3 blocker

The problem occurs on systems with mod_nss >= 1.0.12. Since https://git.fedorahosted.org/cgit/mod_nss.git/tree/ChangeLog#n18 mod_nss supports SNI. Apache HTTPD requires a HTTP Host header for SNI requests. With TLS SNI but without HTTP Hosts, a HTTP/1.1 400 Bad Request is returned to the client.

sslget must set Host HTTP header

  • master: 73f5e33c945d865a88b47491b73553ba8ecf2f53
  • DOGTAG_10_2_BRANCH: d895ca41472112a3ef07486419d4580f6c9d0983
  • DOGTAG_10_2_6_BRANCH: b61e5995f366af2a4e8e8f4ce47de7a37df87e13

Metadata Update from @mbasti:
- Issue assigned to cheimes
- Issue set to the milestone: 10.3.0

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.