Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uninstall with externally-signed CA leaves/root/.dogtag/pki-tomcat/ca (@pki/master) #4878

Open
flo-renaud opened this issue Oct 15, 2024 · 0 comments
Open

Uninstall with externally-signed CA leaves/root/.dogtag/pki-tomcat/ca (@pki/master) #4878

flo-renaud opened this issue Oct 15, 2024 · 0 comments

Comments

@flo-renaud
Copy link

Test scenario:

  • enable the copr repos @pki/master and @freeipa/freeipa-master-nightly, install freeipa-server-dns
  • do the first step of IPA installation with an externally-signed CA: ipa-server-install -n ipa.test -r IPA.TEST -a Secret123 -p Secret123 --setup-dns --forwarder 10.11.5.160 --external-ca --external-ca-type=ms-cs --external-ca-profile=1.2.3.4:100 -U
  • call uninstall because you realize the wrong profile was used: ipa-server-install --uninstall -U
  • The directory /root/.dogtag/pki-tomcat/ca is still present and contains left-overs:
# ls /root/.dogtag/pki-tomcat/ca
alias  password.conf  pkcs12_password.conf
  • re-do the first step of IPA installation with a different profile: ipa-server-install -n ipa.test -r IPA.TEST -a Secret123 -p Secret123 --setup-dns --forwarder 10.11.5.160 --external-ca --external-ca-type=ms-cs --external-ca-profile=1.2.3.4:200 -U
    The installation fails because the directory /root/.dogtag/pki-tomcat/ca already exists:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/16]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Content of /var/log/ipaserver-install.log:

INFO: Storing registry config: /var/lib/pki/pki-tomcat/conf/ca/registry.cfg
DEBUG: Command: mkdir /root/.dogtag/pki-tomcat/ca
ERROR: FileExistsError: [Errno 17] File exists: '/root/.dogtag/pki-tomcat/ca'
  File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 594, in main
    deployer.spawn()
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 5798, in spawn
    scriptlet.spawn(self)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 46, in spawn
    deployer.init_client_nssdb()
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 972, in init_client_nssdb
    pki.util.makedirs(
  File "/usr/lib/python3.12/site-packages/pki/util.py", line 118, in makedirs
    os.makedirs(path, mode=mode, exist_ok=exist_ok)
  File "<frozen os>", line 225, in makedirs

Reproduced on fedora 40 with dogtag-pki-ca-11.6.0-0.1.alpha1.20241012013218UTC.34150e16.fc40.noarch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@flo-renaud