#6020 Server uninstall does not stop tracking lightweight sub-CA with certmonger
Closed: Fixed None Opened 7 years ago by jcholast.

ipa-server-install --uninstall leaves lightweight sub-CA certs tracked by certmonger:

# ipa-server-install --uninstall -U
...
ipa         : ERROR    Some certificates may still be tracked by certmonger.
This will cause re-installation to fail.
Start the certmonger service and list the certificates being tracked
 # getcert list
These may be untracked by executing
 # getcert stop-tracking -i <request_id>
for each id in: 20160701035553
...

# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160701035553':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB',pin set
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb',token='NSS Certificate DB'
    issuer: CN=Certificate Authority,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
    subject: CN=Sub-CA 1,O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
    expires: 2036-07-01 03:38:35 UTC
    key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca fb8eb99f-5a29-4e57-9de0-4027b65a5dcb"
    track: yes
    auto-renew: yes

Fix ipa-server-install to stop tracking all lightweight sub-CA certs on uninstall.


master:

  • 88841a5 uninstall: untrack lightweight CA certs

Metadata Update from @jcholast:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.4.1

7 years ago

Login to comment on this ticket.

Metadata