ipa-server-install --uninstall leaves lightweight sub-CA certs tracked by certmonger:
ipa-server-install --uninstall
# ipa-server-install --uninstall -U ... ipa : ERROR Some certificates may still be tracked by certmonger. This will cause re-installation to fail. Start the certmonger service and list the certificates being tracked # getcert list These may be untracked by executing # getcert stop-tracking -i <request_id> for each id in: 20160701035553 ... # getcert list Number of certificates and requests being tracked: 1. Request ID '20160701035553': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM subject: CN=Sub-CA 1,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM expires: 2036-07-01 03:38:35 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb" track: yes auto-renew: yes
Fix ipa-server-install to stop tracking all lightweight sub-CA certs on uninstall.
ipa-server-install
master:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1356102
Metadata Update from @jcholast: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4.1
Login to comment on this ticket.