From 67a33e5a305c7510fb182f84e46f304043f6ab37 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Jun 21 2023 19:08:17 +0000 Subject: Uninstaller: uninstall PKI before shutting down services The uninstaller is stopping all the services before calling pkidestroy to uninstall the CA. With PKI 11.4+ this sequence fails as pkidestroy tries to connect to PKI server in order to unregister from the security domain. The error interrupts the full completion of pkidestroy, is logged but doesn't make ipa uninstallation fail. The issue is that trying to re-install later on would fail because pkidestroy did not completely uninstall the CA. To avoid this, call pkidestroy before shutting down the services. Also add an uninstall_check method that restarts IPA if it is not running, and use pkidestroy --force to make sure that PKI is uninstalled even if restart failed. Fixes: https://pagure.io/freeipa/issue/9330 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Rob Crittenden --- diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index be0e732..c93ae1f 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -169,6 +169,24 @@ def print_ca_configuration(options): def uninstall_check(options): + """IPA needs to be running so pkidestroy can unregister CA""" + ca = cainstance.CAInstance(api.env.realm) + if not ca.is_installed(): + return + + result = ipautil.run([paths.IPACTL, 'status'], + raiseonerr=False) + + if result.returncode not in [0, 4]: + try: + logger.info( + "Starting services to unregister CA from security domain") + ipautil.run([paths.IPACTL, 'start']) + except Exception: + logger.info("Re-starting IPA failed, continuing uninstall") + + +def uninstall_crl_check(options): """Check if the host is CRL generation master""" # Skip the checks if the host is not a CA instance ca = cainstance.CAInstance(api.env.realm) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index c2c6b3f..4967aca 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -305,7 +305,7 @@ class DogtagInstance(service.Service): self.print_msg("Unconfiguring %s" % self.subsystem) args = [paths.PKIDESTROY, - "-i", "pki-tomcat", + "-i", "pki-tomcat", "--force", "-s", self.subsystem] # specify --log-file on PKI 11.0.0 or later diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 857c516..59cbda8 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -132,6 +132,8 @@ def uninstall_check(options): if result.returncode not in [0, 4]: try: + logger.info( + "Starting services to unregister KRA from security domain") ipautil.run([paths.IPACTL, 'start']) except Exception: logger.info("Re-starting IPA failed, continuing uninstall") diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 4e40764..ccb9582 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -1110,6 +1110,7 @@ def uninstall_check(installer): raise ScriptError("Aborting uninstall operation.") kra.uninstall_check(options) + ca.uninstall_check(options) try: api.Backend.ldap2.connect(autobind=True) @@ -1132,7 +1133,7 @@ def uninstall_check(installer): else: dns.uninstall_check(options) - ca.uninstall_check(options) + ca.uninstall_crl_check(options) cleanup_dogtag_server_specific_data() @@ -1181,6 +1182,9 @@ def uninstall(installer): # Uninstall the KRA prior to shutting the services down so it # can un-register with the CA. kra.uninstall() + # Uninstall the CA priori to shutting the services down so it + # can unregister from the security domain + ca.uninstall() print("Shutting down all IPA services") try: @@ -1194,8 +1198,6 @@ def uninstall(installer): restore_time_sync(sstore, fstore) - ca.uninstall() - dns.uninstall() httpinstance.HTTPInstance(fstore).uninstall()