search

pki-bot / pki-issues-final

0 stars 0 forks source link

After uninstalling all KRA instances, dogtag still returns info that KRA instance exists somewhere #1692

Closed pki-bot closed 3 years ago

pki-bot commented 3 years ago

This issue was migrated from Pagure Issue #1704. Originally filed by mbasti (@MartinBasti) on 2015-11-25 18:42:47:

Hello,

in IPA project we hit this bug https://fedorahosted.org/freeipa/ticket/5469

When all KRA instances are uninstalled, following method, 'is_installing_replica', still returns True, what in IPA context means that KRA still exists on any server

def get_security_domain():
    """
    Get the security domain from the REST interface on the local Dogtag CA
    This function will succeed if the local dogtag CA is up.
    """
    connection = PKIConnection()
    domain_client = pki.system.SecurityDomainClient(connection)
    info = domain_client.get_security_domain_info()
    return info

def is_installing_replica(sys_type):
    """
    We expect only one of each type of Dogtag subsystem in an IPA deployment.
    That means that if a subsystem of the specified type has already been
    deployed - and therefore appears in the security domain - then we must be
    installing a replica.
    """
    info = get_security_domain()
    try:
        sys_list = info.systems[sys_type]
        return len(sys_list.hosts) > 0
    except KeyError:
        return False

sys_type = "KRA"
>>> print(repr(sys_list.hosts))
{u'KRA vm-058-094.example.com 443': <pki.system.SecurityDomainHost object at 0x7f95171b9510>}

Uninstallation of KRA is done with following command:

pkidestroy -i pki-tomcat -s KRA

This is reproducible with just one server too:

ipa-server-install
ipa-kra-install
ipa-kra-install --uninstall
ipa-kra-install

Let me know if you need additional info.

pki-bot commented 3 years ago

Comment from mbasti (@MartinBasti) at 2015-11-25 19:09:22

KRA uninstall log pki-kra-destroy.20151125142641.log

pki-bot commented 3 years ago

Comment from cheimes (@tiran) at 2015-11-25 20:14:42

The uninstaller fails to remove the security domain information from LDAP. We suspect that the sslget call is wrong. I haven't figured out the correct call yet.

2015-11-25 19:10:57 pkidestroy  : WARNING  ....... Failed to deregister KRA connector vm-058-094.abc.idm.lab.eng.brq.redhat.com:443 from CA vm-058-094.abc.i
dm.lab.eng.brq.redhat.com:443
2015-11-25 19:10:57 pkidestroy  : INFO     ....... contacting the security domain master to update security domain 'IPA'
2015-11-25 19:10:57 pkidestroy  : WARNING  ....... this 'KRA' entry will NOT be deleted from security domain 'IPA'!
2015-11-25 19:10:57 pkidestroy  : WARNING  ....... security domain 'IPA' may be offline or unreachable!
2015-11-25 19:10:57 pkidestroy  : ERROR    ....... subprocess.CalledProcessError:  Command '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', '-p', '93
8967013969', '-d', '/etc/pki/pki-tomcat/alias', '-e', 'name="/var/lib/pki/pki-tomcat"&type=KRA&list=kraList&host=vm-058-094.abc.idm.lab.eng.brq.redhat.com&s
port=443&ncsport=443&adminsport=443&agentsport=443&operation=remove', '-v', '-r', '/ca/agent/ca/updateDomainXML', 'vm-058-094.abc.idm.lab.eng.brq.redhat.com
:443']' returned non-zero exit status 3!

I was able to install KRA again after I removed the security domain for the KRA instance:

ldapdelete -H ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket "cn=vm-058-094.abc.idm.lab.eng.brq.redhat.com:443,cn=KRAList,ou=Security Domain,o=ipaca"
pki-bot commented 3 years ago

Comment from cheimes (@tiran) at 2015-11-25 21:04:03

sslget fails with a HTTP/1.1 400 Bad Request. Apache error log contains this line:

[Wed Nov 25 19:57:02.505877 2015] [:error] [pid 12657] Hostname vm-058-094.abc.idm.lab.eng.brq.redhat.com 
provided via SNI, but no hostname provided in HTTP request

It looks like a bug in sslget. It doesn't set a Hostname header.

pki-bot commented 3 years ago

Comment from cheimes (@tiran) at 2015-11-26 13:27:53

The problem seems to be limit to Fedora. I wcryptomilk't able to reproduce the issue on a fresh RHEL 7.2 server. ipa-kra-install --uninstall sucessfully removed the KRA entry from LDAP.

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2015-11-30 20:40:57

Per CS/DS meeting of 11/30/2015 - 10.3 blocker

pki-bot commented 3 years ago

Comment from cheimes (@tiran) at 2015-12-14 13:25:48

attachment pki-tiran-0043-sslget-must-set-Host-HTTP-header.patch

pki-bot commented 3 years ago

Comment from cheimes (@tiran) at 2015-12-14 13:28:25

attachment pki-tiran-0043-2-sslget-must-set-Host-HTTP-header.patch

pki-bot commented 3 years ago

Comment from cheimes (@tiran) at 2015-12-14 18:51:37

The problem occurs on systems with mod_nss >= 1.0.12. Since https://git.fedorahosted.org/cgit/mod_nss.git/tree/ChangeLog#n18 mod_nss supports SNI. Apache HTTPD requires a HTTP Host header for SNI requests. With TLS SNI but without HTTP Hosts, a HTTP/1.1 400 Bad Request is returned to the client.

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2015-12-16 01:15:54

sslget must set Host HTTP header

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2015-12-16 01:18:46

Fixed in pki-core-10.2.6-13.fc23: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2015-12-17 02:25:21

Also fixed in pki-core-10.2.6-13.fc24

pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2016-01-26 23:40:31

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1302127

pki-bot commented 3 years ago

Comment from mbasti (@MartinBasti) at 2017-02-27 14:09:51

Metadata Update from @MartinBasti: