Loading...

Type: Bug
Resolution: Done
Fix Version/s: certsys-10.6
Affects Version/s: certsys-10.6
Component/s: pki-core
Labels:

Severity:
None

AssignedTeam:
rhel-idm-cs

Target Milestone:

rc
Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Bugzilla Bug:
RHBZ: 2182389

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
42

Description of problem:

pkidestroy -s <subsystem> -i <instance> command is failing to remove pki subsystems

Version-Release number of selected component (if applicable):
RHEL 8.8 RHCS 10.6

How reproducible:
Always

Steps to Reproduce:
1. Install Subsystems on a VM
2.Verify they are enabled and Active
3. Use pkidestroy command to uninstall

Actual results:

for s in CA KRA OCSP TKS TPS; do pkidestroy ~~s $s -i topology-02~~$s;done
Loading deployment configuration from /var/lib/pki/topology-02-CA/ca/registry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/topology-02-CA.

Uninstallation complete.
Loading deployment configuration from /var/lib/pki/topology-02-KRA/kra/registry/kra/deployment.cfg.
Uninstalling KRA from /var/lib/pki/topology-02-KRA.
ERROR: unable to access security domain. Continuing .. HTTPSConnectionPool(host='pki1.example.com', port=20443): Max retries exceeded with url: /ca/rest/securityDomain/domainInfo (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fae558f1048>: Failed to establish a new connection: [Errno 111] Connection refused',))
PKIException: Not Found
ERROR: Unable to remove KRA from security domain
ERROR: To remove manually:
ERROR: $ pki -U https://pki1.example.com:21443 -n <admin> securitydomain-host-del "KRA pki1.example.com 21443"
ERROR: Command '['pki', '-d', '/etc/pki/topology-02-KRA/alias', '-f', '/etc/pki/topology-02-KRA/password.conf', '-n', 'subsystemCert cert-topology-02-KRA', '-U', 'https://pki1.example.com:21443', '--ignore-banner', 'securitydomain-leave', '--type', 'KRA', '--hostname', 'pki1.example.com', '--secure-port', '21443', 'KRA pki1.example.com 21443']' returned non-zero exit status 255.
ERROR: CalledProcessError: Command '['pki', '-d', '/etc/pki/topology-02-KRA/alias', '-f', '/etc/pki/topology-02-KRA/password.conf', '-n', 'subsystemCert cert-topology-02-KRA', '-U', 'https://pki1.example.com:21443', '--ignore-banner', 'securitydomain-leave', '--type', 'KRA', '--hostname', 'pki1.example.com', '--secure-port', '21443', 'KRA pki1.example.com 21443']' returned non-zero exit status 255.
File "/usr/lib/python3.6/site-packages/pki/server/pkidestroy.py", line 255, in main
scriptlet.destroy(deployer)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/initialization.py", line 220, in destroy
deployer.leave_security_domain(instance, subsystem)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/_init_.py", line 1385, in leave_security_domain
secure_port)
File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1554, in leave_security_domain
subprocess.check_call(cmd)
File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
raise CalledProcessError(retcode, cmd)

Uninstallation failed: Command failed: pki -d /etc/pki/topology-02-KRA/alias -f /etc/pki/topology-02-KRA/password.conf -n subsystemCert cert-topology-02-KRA -U https://pki1.example.com:21443 --ignore-banner securitydomain-leave --type KRA --hostname pki1.example.com --secure-port 21443 KRA pki1.example.com 21443

Loading deployment configuration from /var/lib/pki/topology-02-OCSP/ocsp/registry/ocsp/deployment.cfg.
Uninstalling OCSP from /var/lib/pki/topology-02-OCSP.
SEVERE: FATAL: SSL alert received: BAD_CERTIFICATE
IOException: SocketException cannot read on socket: Error reading from socket: (-12271) SSL peer cannot verify your certificate.
ERROR: Unable to remove OCSP from security domain
ERROR: To remove manually:
ERROR: $ pki -U https://pki1.example.com:22443 -n <admin> securitydomain-host-del "OCSP pki1.example.com 22443"
ERROR: Command '['pki', '-d', '/etc/pki/topology-02-OCSP/alias', '-f', '/etc/pki/topology-02-OCSP/password.conf', '-n', 'subsystemCert cert-topology-02-OCSP', '-U', 'https://pki1.example.com:22443', '--ignore-banner', 'securitydomain-leave', '--type', 'OCSP', '--hostname', 'pki1.example.com', '--secure-port', '22443', 'OCSP pki1.example.com 22443']' returned non-zero exit status 255.
ERROR: CalledProcessError: Command '['pki', '-d', '/etc/pki/topology-02-OCSP/alias', '-f', '/etc/pki/topology-02-OCSP/password.conf', '-n', 'subsystemCert cert-topology-02-OCSP', '-U', 'https://pki1.example.com:22443', '--ignore-banner', 'securitydomain-leave', '--type', 'OCSP', '--hostname', 'pki1.example.com', '--secure-port', '22443', 'OCSP pki1.example.com 22443']' returned non-zero exit status 255.
File "/usr/lib/python3.6/site-packages/pki/server/pkidestroy.py", line 255, in main
scriptlet.destroy(deployer)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/initialization.py", line 220, in destroy
deployer.leave_security_domain(instance, subsystem)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/_init_.py", line 1385, in leave_security_domain
secure_port)
File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1554, in leave_security_domain
subprocess.check_call(cmd)
File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
raise CalledProcessError(retcode, cmd)

Uninstallation failed: Command failed: pki -d /etc/pki/topology-02-OCSP/alias -f /etc/pki/topology-02-OCSP/password.conf -n subsystemCert cert-topology-02-OCSP -U https://pki1.example.com:22443 --ignore-ban
Expected results:

Additional info:

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty