The issue has been discovered by test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithDNS
test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithDNS
When the backup is applied to a newly installed ipa instance, certmonger gets to track two requests. Following uninstall fails on the unexpected number of requests returned by certmonger
https://paste.fedoraproject.org/507453/19077861/
The uninstall command also returns 0 regardless of aborting with the error.
Uninstaller returning 0 is expected once the pre-uninstall checks (topology etc.) pass. It is currently by design unless we want to challenge this decision.
The root cause of the failure is due to duplicate PKINIT certificates being tracked by certmonger when ipa-restore is called on re-installed master. This then breaks test teardown:
ipa-restore
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.replica1.cmd53] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.replica1.cmd53] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.replica1.cmd53] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring named [ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.replica1.cmd53] ipa : ERROR Failed to get request: Criteria expected to be met by 1 request, got 2. [ipa.ipatests.test_integration.host.Host.replica1.cmd53] ipa : ERROR Criteria expected to be met by 1 request, got 2.
On the test machine, running getcert list reveals that there are indeed two PKINIT certs tracked by certmonger:
[root@replica1 ~]# ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20161220155922': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=replica1.ipa.test,O=IPA.TEST expires: 2018-12-21 15:59:23 UTC dns: replica1.ipa.test principal name: ldap/replica1.ipa.test@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST track: yes auto-renew: yes Request ID '20161220155936': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=replica1.ipa.test,O=IPA.TEST expires: 2018-12-21 16:07:09 UTC principal name: krbtgt/IPA.TEST@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: track: yes auto-renew: yes Request ID '20161220160644': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=replica1.ipa.test,O=IPA.TEST expires: 2018-12-21 16:07:09 UTC principal name: krbtgt/IPA.TEST@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: track: yes auto-renew: yes
(The Server-Cert one comes from DS which is not uninstalled during fail, hence its certificate is still tracked as well).
master:
Metadata Update from @mkubik: - Issue assigned to frenaud - Issue set to the milestone: FreeIPA 4.5
Login to comment on this ticket.