Closed pki-bot closed 3 years ago
Comment from mbasti (@MartinBasti) at 2015-11-25 19:09:22
KRA uninstall log pki-kra-destroy.20151125142641.log
Comment from cheimes (@tiran) at 2015-11-25 20:14:42
The uninstaller fails to remove the security domain information from LDAP. We suspect that the sslget call is wrong. I haven't figured out the correct call yet.
2015-11-25 19:10:57 pkidestroy : WARNING ....... Failed to deregister KRA connector vm-058-094.abc.idm.lab.eng.brq.redhat.com:443 from CA vm-058-094.abc.i
dm.lab.eng.brq.redhat.com:443
2015-11-25 19:10:57 pkidestroy : INFO ....... contacting the security domain master to update security domain 'IPA'
2015-11-25 19:10:57 pkidestroy : WARNING ....... this 'KRA' entry will NOT be deleted from security domain 'IPA'!
2015-11-25 19:10:57 pkidestroy : WARNING ....... security domain 'IPA' may be offline or unreachable!
2015-11-25 19:10:57 pkidestroy : ERROR ....... subprocess.CalledProcessError: Command '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', '-p', '93
8967013969', '-d', '/etc/pki/pki-tomcat/alias', '-e', 'name="/var/lib/pki/pki-tomcat"&type=KRA&list=kraList&host=vm-058-094.abc.idm.lab.eng.brq.redhat.com&s
port=443&ncsport=443&adminsport=443&agentsport=443&operation=remove', '-v', '-r', '/ca/agent/ca/updateDomainXML', 'vm-058-094.abc.idm.lab.eng.brq.redhat.com
:443']' returned non-zero exit status 3!
I was able to install KRA again after I removed the security domain for the KRA instance:
ldapdelete -H ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket "cn=vm-058-094.abc.idm.lab.eng.brq.redhat.com:443,cn=KRAList,ou=Security Domain,o=ipaca"
Comment from cheimes (@tiran) at 2015-11-25 21:04:03
sslget fails with a HTTP/1.1 400 Bad Request. Apache error log contains this line:
[Wed Nov 25 19:57:02.505877 2015] [:error] [pid 12657] Hostname vm-058-094.abc.idm.lab.eng.brq.redhat.com
provided via SNI, but no hostname provided in HTTP request
It looks like a bug in sslget. It doesn't set a Hostname header.
Comment from cheimes (@tiran) at 2015-11-26 13:27:53
The problem seems to be limit to Fedora. I wcryptomilk't able to reproduce the issue on a fresh RHEL 7.2 server. ipa-kra-install --uninstall sucessfully removed the KRA entry from LDAP.
Comment from mharmsen (@mharmsen) at 2015-11-30 20:40:57
Per CS/DS meeting of 11/30/2015 - 10.3 blocker
Comment from cheimes (@tiran) at 2015-12-14 13:25:48
attachment pki-tiran-0043-sslget-must-set-Host-HTTP-header.patch
Comment from cheimes (@tiran) at 2015-12-14 13:28:25
attachment pki-tiran-0043-2-sslget-must-set-Host-HTTP-header.patch
Comment from cheimes (@tiran) at 2015-12-14 18:51:37
The problem occurs on systems with mod_nss >= 1.0.12. Since https://git.fedorahosted.org/cgit/mod_nss.git/tree/ChangeLog#n18 mod_nss supports SNI. Apache HTTPD requires a HTTP Host header for SNI requests. With TLS SNI but without HTTP Hosts, a HTTP/1.1 400 Bad Request is returned to the client.
Comment from mharmsen (@mharmsen) at 2015-12-16 01:15:54
sslget must set Host HTTP header
Comment from mharmsen (@mharmsen) at 2015-12-16 01:18:46
Fixed in pki-core-10.2.6-13.fc23: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78
Comment from mharmsen (@mharmsen) at 2015-12-17 02:25:21
Also fixed in pki-core-10.2.6-13.fc24
Comment from mharmsen (@mharmsen) at 2016-01-26 23:40:31
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1302127
Comment from mbasti (@MartinBasti) at 2017-02-27 14:09:51
Metadata Update from @MartinBasti:
This issue was migrated from Pagure Issue #1704. Originally filed by mbasti (@MartinBasti) on 2015-11-25 18:42:47:
Hello,
in IPA project we hit this bug https://fedorahosted.org/freeipa/ticket/5469
When all KRA instances are uninstalled, following method, 'is_installing_replica', still returns True, what in IPA context means that KRA still exists on any server
Uninstallation of KRA is done with following command:
This is reproducible with just one server too:
Let me know if you need additional info.