Hello,
in IPA project we hit this bug https://fedorahosted.org/freeipa/ticket/5469
When all KRA instances are uninstalled, following method, 'is_installing_replica', still returns True, what in IPA context means that KRA still exists on any server
def get_security_domain(): """ Get the security domain from the REST interface on the local Dogtag CA This function will succeed if the local dogtag CA is up. """ connection = PKIConnection() domain_client = pki.system.SecurityDomainClient(connection) info = domain_client.get_security_domain_info() return info def is_installing_replica(sys_type): """ We expect only one of each type of Dogtag subsystem in an IPA deployment. That means that if a subsystem of the specified type has already been deployed - and therefore appears in the security domain - then we must be installing a replica. """ info = get_security_domain() try: sys_list = info.systems[sys_type] return len(sys_list.hosts) > 0 except KeyError: return False sys_type = "KRA"
>>> print(repr(sys_list.hosts)) {u'KRA vm-058-094.example.com 443': <pki.system.SecurityDomainHost object at 0x7f95171b9510>}
Uninstallation of KRA is done with following command:
pkidestroy -i pki-tomcat -s KRA
This is reproducible with just one server too:
ipa-server-install ipa-kra-install ipa-kra-install --uninstall ipa-kra-install
Let me know if you need additional info.
KRA uninstall log pki-kra-destroy.20151125142641.log
The uninstaller fails to remove the security domain information from LDAP. We suspect that the sslget call is wrong. I haven't figured out the correct call yet.
2015-11-25 19:10:57 pkidestroy : WARNING ....... Failed to deregister KRA connector vm-058-094.abc.idm.lab.eng.brq.redhat.com:443 from CA vm-058-094.abc.i dm.lab.eng.brq.redhat.com:443 2015-11-25 19:10:57 pkidestroy : INFO ....... contacting the security domain master to update security domain 'IPA' 2015-11-25 19:10:57 pkidestroy : WARNING ....... this 'KRA' entry will NOT be deleted from security domain 'IPA'! 2015-11-25 19:10:57 pkidestroy : WARNING ....... security domain 'IPA' may be offline or unreachable! 2015-11-25 19:10:57 pkidestroy : ERROR ....... subprocess.CalledProcessError: Command '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', '-p', '93 8967013969', '-d', '/etc/pki/pki-tomcat/alias', '-e', 'name="/var/lib/pki/pki-tomcat"&type=KRA&list=kraList&host=vm-058-094.abc.idm.lab.eng.brq.redhat.com&s port=443&ncsport=443&adminsport=443&agentsport=443&operation=remove', '-v', '-r', '/ca/agent/ca/updateDomainXML', 'vm-058-094.abc.idm.lab.eng.brq.redhat.com :443']' returned non-zero exit status 3!
I was able to install KRA again after I removed the security domain for the KRA instance:
ldapdelete -H ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket "cn=vm-058-094.abc.idm.lab.eng.brq.redhat.com:443,cn=KRAList,ou=Security Domain,o=ipaca"
sslget fails with a HTTP/1.1 400 Bad Request. Apache error log contains this line:
[Wed Nov 25 19:57:02.505877 2015] [:error] [pid 12657] Hostname vm-058-094.abc.idm.lab.eng.brq.redhat.com provided via SNI, but no hostname provided in HTTP request
It looks like a bug in sslget. It doesn't set a Hostname header.
The problem seems to be limit to Fedora. I wasn't able to reproduce the issue on a fresh RHEL 7.2 server. ipa-kra-install --uninstall sucessfully removed the KRA entry from LDAP.
Per CS/DS meeting of 11/30/2015 - 10.3 blocker
attachment pki-cheimes-0043-sslget-must-set-Host-HTTP-header.patch
attachment pki-cheimes-0043-2-sslget-must-set-Host-HTTP-header.patch
The problem occurs on systems with mod_nss >= 1.0.12. Since https://git.fedorahosted.org/cgit/mod_nss.git/tree/ChangeLog#n18 mod_nss supports SNI. Apache HTTPD requires a HTTP Host header for SNI requests. With TLS SNI but without HTTP Hosts, a HTTP/1.1 400 Bad Request is returned to the client.
sslget must set Host HTTP header
Fixed in pki-core-10.2.6-13.fc23: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78
Also fixed in pki-core-10.2.6-13.fc24
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1302127
Metadata Update from @mbasti: - Issue assigned to cheimes - Issue set to the milestone: 10.3.0
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2263
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.