#2702 ipa-server-install --uninstall doesn't clear certmonger dirs, which leads to install failing
Closed: Fixed None Opened 10 years ago by rcritten.

https://bugzilla.redhat.com/show_bug.cgi?id=817080 (Red Hat Enterprise Linux 6)

ipa-server-install --uninstall doesn't clear certmonger dirs

root@privserv certmonger]# pwd
/var/lib/certmonger
[root@privserv certmonger]# ls -lR
.:
total 8
drwxr-xr-x. 2 root root 4096 Apr 27 17:20 cas
drwxr-xr-x. 2 root root 4096 Apr 27 17:20 requests

./cas:
total 12
-rw-------. 1 root root  72 Apr 27 17:20 20120424011747
-rw-------. 1 root root  94 Apr 27 17:20 20120424011747-1
-rw-------. 1 root root 108 Apr 27 17:20 20120424011747-2

./requests:
total 8
-rw-------. 1 root root 3874 Apr 27 17:20 20120427071425
-rw-------. 1 root root 3160 Apr 27 17:20 20120427071514



ipa-server-install --no-host-dns \
  --dirsrv_pkcs12 mycompany.pkcs12 --dirsrv_pin=PASSWORD_REMOVED \
  --http_pkcs12 mycompany.pkcs12 --http_pin=PASSWORD_REMOVED \
  --realm REALM_REMOVED --domain DOMAIN_REMOVED \
  --hostname HOSTNAME_REMOVED \
  -p PASSWORD_REMOVED -P PASSWORD_REMOVED -a PASSWORD_REMOVED


  [10/35]: configuring uniqueness plugin
  [11/35]: configuring uuid plugin
  [12/35]: configuring modrdn plugin
  [13/35]: enabling entryUSN plugin
  [14/35]: configuring lockout plugin
  [15/35]: creating indices
  [16/35]: configuring ssl for ds instance
ipa         : ERROR    Didn't get new certmonger request, got Request
"20120427071425" modified.

Unexpected error - see ipaserver-install.log for details:
 certmonger did not issue new tracking request for 'MY_CA_DESCRIPTION_REMOVED'
in '/etc/dirsrv/slapd-MY_DOMAIN_REMOVED/'. Use 'ipa-getcert list' to list
existing certificates.


Furthermore, `ipa-getcert list' isn't helpful at all, because I don't have IPA
configured and the command will fail.

ipaserver-install.log

2012-04-27T15:14:26Z DEBUG stderr=
2012-04-27T15:14:26Z ERROR Didn't get new certmonger request, got Request
"20120427071425" modified.

2012-04-27T15:14:26Z DEBUG certmonger did not issue new tracking request for
'MSInfoIPA' in '/etc/dirsrv/slapd-MY_DOMAIN_REMOVED/'. Use 'ipa-getcert list'
to list existing certificates.
  File "/usr/sbin/ipa-server-install", line 1087, in <module>
    rval = main()

  File "/usr/sbin/ipa-server-install", line 916, in main
    hbac_allow=not options.hbac_allow)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line
248, in create_instance
    self.start_creation("Configuring directory server", 60)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
257, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line
516, in __enable_ssl
    dsdb.track_server_cert(nickname, self.principal, dsdb.passwd_fname,
'restart_dirsrv %s' % self.serverid )

  File "/usr/lib/python2.6/site-packages/ipaserver/install/certs.py", line 526,
in track_server_cert
    raise RuntimeError('%s did not issue new tracking request for \'%s\' in
\'%s\'. Use \'ipa-getcert list\' to list existing certificates.' %
(cmonger.service_name, nickname, self.secdir))






I haven't hit this with 2.1, I believe this is a regression in 2.2
ipa-server-2.2.0-11.el6.x86_64

Likely related to bug 817065

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=862437 (Red Hat Enterprise Linux 6)

There is a second case reported. Putting into needs triage.

Should we clean these directories in the uninstall scripts so that the re-install would work cleanly? Sounds like we should.

We DO clean this. We have no idea what the customer did. We can't willy-nilly stop tracking all certmonger requests because there may be other certificates being tracked.

Replying to [comment:5 rcritten]:

We DO clean this. We have no idea what the customer did. We can't willy-nilly stop tracking all certmonger requests because there may be other certificates being tracked.

I do not see a reason to continue tracking anything if you can't re-install the server and if you re-install a new cert will be used so old certs and requests would have no value. Certmonger can only work with one source and this source is the current server if it is running on the server machine.

certmonger is extremely flexible and not tied to a specific CA at all.

We have always treated uninstall as a best effort, that things may go bump in the night. This is one of those things. It appears that the uninstall failed but enough got removed that re-running it didn't fully clean up.

IMHO the re-install failed with a very reasonable message telling the user what to do.

Replying to [comment:7 rcritten]:

IMHO the re-install failed with a very reasonable message telling the user what to do.

It is very cryptic. The message should then be something like:

"Installation failed due to mismatch of the certificate requests tracked by certmonger. Such situation might be caused by the re-installation of the server. Follow the documentation <section TBD> on how to resolve this issue manually before retrying installation."

And then there should be a doc section describing:
1. What is the issue
2. Hot to clean it manually

I'm fine with documenting the current error. In fact, we are probably due for a common errors and solution section in the documentation.

The agreement is to make the error message more meaningful. A separate doc ticket #3145 was open to track that effort. Here we just need to make a message less cryptic.

We only care about certificates in certain directories so I'm just blindly going to check those and leave it as an exercise for the reader if any leftovers are valid or not. My assumption is that if you are savvy enough to tell certmonger to track a certificate in one of the IPA databases then you're savvy enough to know to leave it alone.

Create a bogus host we can use to get a cert for:

# ipa host-add test.example.com --force

Create an NSS cert database we'll use to get the cert and do non-IPA tracking:

# mkdir /tmp/certdb
# certutil -N -d /tmp/certdb

Get a cert

# certutil -R -s "cn=test.example.com,o=example.com" -d /tmp/certdb -z /etc/group -a > /tmp/certdb/test.csr
# ipa cert-request --add --principal test/test.example.com /tmp/certdb/test.csr > /tmp/certdb/test.crt

Note the serial number. In my case it was 12. Now fetch a textual copy of the cert.

# ipa cert-show --out=/tmp/certdb/test.crt 12

Add the cert to our test database and track it

# certutil -A -n test -d /tmp/certdb -t u,u,u -a < /tmp/certdb/test.crt
# ipa-getcert start-tracking -d /tmp/certdb -n test

Add the cert to Apache and track it

# certutil -A -n test -d /etc/httpd/alias -t u,u,u -a < /tmp/certdb/test.crt
# ipa-getcert start-tracking -d /etc/httpd/alias -n test

Uninstall. It should complain about only the Apache cert

# ipa-server-install --uninstall -U

master: 102765c69fb702cd422611ef21b14b2914cee51f

ipa-3-0: 555a0eef808aafa64330a615bfa2c474e9277cba

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)

5 years ago

Login to comment on this ticket.

Metadata