#8596 improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find
Closed: fixed 4 months ago by abbra. Opened 5 months ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1895197

Description of problem:

improve the way IPA detects PKI services, do not rely on files or directories,
try to rely on the Dogtag tools or interfaces, example:

pki-server subsystem-find
class SubsystemFindCLI(pki.cli.CLI):

pki-server subsystem-find
2 entries matched
  Subsystem ID: ca
  Instance ID: pki-tomcat
  Enabled: True

  Subsystem ID: kra
  Instance ID: pki-tomcat
  Enabled: True

instead of


    def is_installed(self):
        Determine if subsystem instance has been installed.
        Returns True/False
        return os.path.exists(os.path.join(
            paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))

this directory path testing return an incorrect true status because for
example, there is no "ipa-kra-install --uninstall" ( removed in 2018 / bz
1454444 ):
ipa-kra-install --uninstall
ERROR: Standalone KRA uninstallation was removed in IPA 4.5 as it had never
worked properly and only caused issues.

real world scenario example:

there is a RHEL-7 IPA replica deployed
that system is updated from RHEL-7.8 to RHEL-7.9
the update fails in IPA, leading to failing "ipactl restart", then to some
serious other problems:

in this case, there was no PKI KRA subsystem configured listed from
ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b "ou=Security
nor from a
ipa config-show --all

and no ipara listed from
ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b o=ipaca

but we till had a directory

so the test in

incorrectly returned a true status in is_installed(self)

that all lead to a LDAP error on no ipakra user entry, then to a failed IPA
update, then to a failed ipactl start, and a bad situation.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. IPA with CA, NO KRA
2. add a /var/lib/pki/pki-tomcat/kra/ directory
3. try to run the ipa console for

Actual results:

2020-11-03T17:27:14Z DEBUG Executing upgrade plugin: fix_kra_people_entry
2020-11-03T17:27:14Z ERROR Upgrade failed with no such entry
2020-11-03T17:27:14Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 274, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
966, in update
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_peop
le_entry.py", line 35, in execute
    entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN)

then I realize there is no KRA agent LDAP entry
because that RHEL IPA system has no KRA installed (but has a CA)

so why the failure in fix_kra_people_entry.py if there is no KRA ??

the IPA update uses "plug-ins" to update various elements, listed from

and one of them is

which calls

which calls a function is_installed()

the problem is is_installed() simply check for a directory path to decide a PKI
subsystem is installed and configured, which is not a sufficient way to detect
the availability of a service.

Expected results:

Additional info:

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1895197

5 months ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

5 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5290

5 months ago


  • 930453b Improve PKI subsystem detection
  • 526686e ipatests: add test for PKI subsystem detection


  • af830c0 Improve PKI subsystem detection
  • 7d47e37 ipatests: add test for PKI subsystem detection

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 months ago


  • cf30cc3 Improve PKI subsystem detection
  • 24f6a36 ipatests: add test for PKI subsystem detection


  • 137c456 Improve PKI subsystem detection
  • 8367ede ipatests: add test for PKI subsystem detection


  • 6e0634b ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection


  • 35be925 ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection


  • 0db2896 ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection


  • 46a4e93 ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection

Login to comment on this ticket.