freeipa

Clone
Source Code
GIT

#6570 Duplicate PKINIT certificates being tracked after restoring IPA backup on re-installed master
Closed: Fixed None Opened 7 years ago by mkubik.

Closed: Fixed
Reopen Issue

The issue has been discovered by test_integration/test_backup_and_restore.py::TestBackupReinstallRestoreWithDNS

When the backup is applied to a newly installed ipa instance, certmonger gets to track two requests. Following uninstall fails on the unexpected number of requests returned by certmonger

https://paste.fedoraproject.org/507453/19077861/

The uninstall command also returns 0 regardless of aborting with the error.

Uninstaller returning 0 is expected once the pre-uninstall checks (topology etc.) pass. It is currently by design unless we want to challenge this decision.

The root cause of the failure is due to duplicate PKINIT certificates being tracked by certmonger when ipa-restore is called on re-installed master. This then breaks test teardown:

[ipa.ipatests.test_integration.host.Host.replica1.cmd53] RUN ['ipa-server-install', '--uninstall', '-U']
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] Shutting down all IPA services
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring ntpd
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] Configuring certmonger to stop tracking system certificates for KRA
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] Configuring certmonger to stop tracking system certificates for CA
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring CA
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring named
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring ipa-dnskeysyncd
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring web server
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] Unconfiguring krb5kdc
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] ipa         : ERROR    Failed to get request: Criteria expected to be met by 1 request, got 2.
[ipa.ipatests.test_integration.host.Host.replica1.cmd53] ipa         : ERROR    Criteria expected to be met by 1 request, got 2.

On the test machine, running getcert list reveals that there are indeed two PKINIT certs tracked by certmonger:

[root@replica1 ~]# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20161220155922':
        status: MONITORING
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST//pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=replica1.ipa.test,O=IPA.TEST
        expires: 2018-12-21 15:59:23 UTC
        dns: replica1.ipa.test
        principal name: ldap/replica1.ipa.test@IPA.TEST
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: 
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST
        track: yes
        auto-renew: yes
Request ID '20161220155936':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=replica1.ipa.test,O=IPA.TEST
        expires: 2018-12-21 16:07:09 UTC
        principal name: krbtgt/IPA.TEST@IPA.TEST
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes
Request ID '20161220160644':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.TEST
        subject: CN=replica1.ipa.test,O=IPA.TEST
        expires: 2018-12-21 16:07:09 UTC
        principal name: krbtgt/IPA.TEST@IPA.TEST
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes

(The Server-Cert one comes from DS which is not uninstalled during fail, hence its certificate is still tracked as well).

master:

  • ceec512 ipa-restore must stop tracking PKINIT cert in the preparation phase

Metadata Update from @mkubik:
- Issue assigned to frenaud
- Issue set to the milestone: FreeIPA 4.5
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
https://github.com/freeipa/freeipa/pull/405
None
yes
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.