When uninstalling IPA server, error messages are displayed in the console during the KRA uninstallation
ipa-server-install --setup-kra
ipa-server-install --uninstall -U
Uninstallation succeeds but the following error messages are displayed in the console:
Shutting down all IPA services Unconfiguring KRA failed to uninstall KRA instance CalledProcessError(Command ['/usr/sbin/pkidestroy', '-i', 'pki-tomcat', '-s', 'KRA'] returned non-zero exit status 1: 'ERROR : pkihelper unable to access security domain. Continuing .. HTTPSConnectionPool(host=\'master.example.com\', port=443): Max retries exceeded with url: /ca/rest/securityDomain/domainInfo (Caused by NewConnectionError(\'<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc6cc563d10>: Failed to establish a new connection: [Errno 111] Connection refused\')) \nWARNING : pkihelper this \'KRA\' entry will NOT be deleted from security domain \'IPA\'!\nWARNING : pkihelper security domain \'IPA\' may be offline or unreachable!\nERROR : pkihelper subprocess.CalledProcessError: Command \'[\'/usr/bin/sslget\', \'-n\', \'subsystemCert cert-pki-ca\', \'-p\', \'4Vn+kA]L$vy}H4}V[$.m@jFFD8u(sl?OOz,cj6u];\', \'-d\', \'/etc/pki/pki-tomcat/alias\', \'-e\', \'name="/var/lib/pki/pki-tomcat"&type=KRA&list=kraList&host=master.example.com&sport=443&ncsport=443&adminsport=443&agentsport=443&operation=remove\', \'-v\', \'-r\', \'/ca/agent/ca/updateDomainXML\', \'master.example.com:443\']\' returned non-zero exit status 6.!\nJob for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\nERROR : pkidestroy CalledProcessError: Command \'[\'systemctl\', \'start\', \'pki-tomcatd@pki-tomcat.service\']\' returned non-zero exit status 1.\n File "/usr/lib/python3.7/site-packages/pki/server/pkidestroy.py", line 268, in main\n scriptlet.destroy(deployer)\n File "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/finalization.py", line 93, in destroy\n instance.start()\n File "/usr/lib/python3.7/site-packages/pki/server/__init__.py", line 242, in start\n subprocess.check_call(cmd)\n File "/usr/lib64/python3.7/subprocess.py", line 347, in check_call\n raise CalledProcessError(retcode, cmd)\n\n') Unconfiguring CA [...] The ipa-server-install command was successful
KRA uninstallation should succeed without error
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server freeipa-server-4.8.1-1.fc30.x86_64 freeipa-client-4.8.1-1.fc30.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.1.8-3.fc30.x86_64 pki-ca-10.7.3-3.fc30.noarch krb5-server-1.17-15.fc30.x86_64
The issue seems linked to commit d5c400a Add ExecStartPost hook to wait for Dogtag PKI. If the file /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf is removed + the command systemctl daemon-reload is executed before calling uninstall, then uninstallation succeeds without any error msg.
/etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
systemctl daemon-reload
Metadata Update from @frenaud: - Issue set to the milestone: FreeIPA 4.8.2
This is a duplicate of #7462
Closing as dup of #7642
Metadata Update from @frenaud: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.