lejeczek via FreeIPA-users wrote: > > > On 18/01/2022 13:36, lejeczek via FreeIPA-users wrote: >> Hi guys, >> >> That's new, well, I've never seen it. I got on a replica candidate so >> I thought I'd make a first new master and yet: >> >> -> $ ipa-server-install --setup-dns --setup-kra --no-forwarders >> --idstart=57400000 --admin-password=diradm --ds-password=dirsrv >> --enable-compat --setup-adtrust >> ... >> [6/9]: configure certificate renewals >> [error] DBusException: org.fedorahosted.certmonger.duplicate: >> Certificate at same location is already used by request with nickname >> "20210709164208". >> org.fedorahosted.certmonger.duplicate: Certificate at same location is >> already used by request with nickname "20210709164208". >> The ipa-server-install command failed. See >> /var/log/ipaserver-install.log for more information >> >> in log file: >> ... >> 2022-01-18T13:30:02Z DEBUG [6/9]: configure certificate renewals >> 2022-01-18T13:30:02Z DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> 2022-01-18T13:30:03Z DEBUG Traceback (most recent call last): >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line >> 635, in start_creation >> run_step(full_msg, method) >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line >> 621, in run_step >> method() >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line >> 486, in configur >> e_renewal >> profile=self.tracking_reqs[nickname], >> File >> "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py", line >> 576, in start_tracking >> result = cm.obj_if.add_request(params) >> File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 145, >> in __call__ >> **keywords) >> File "/usr/lib64/python3.6/site-packages/dbus/connection.py", line >> 651, in call_blocking >> message, timeout) >> dbus.exceptions.DBusException: org.fedorahosted.certmonger.duplicate: >> Certificate at same location i >> s already used by request with nickname "20210709164208". >> >> 2022-01-18T13:30:03Z DEBUG [error] DBusException: >> org.fedorahosted.certmonger.duplicate: Certifica >> te at same location is already used by request with nickname >> "20210709164208". >> 2022-01-18T13:30:03Z DEBUG Removing /var/lib/ipa/tmp-brry92se >> 2022-01-18T13:30:03Z DEBUG Removing /root/.dogtag/pki-tomcat/kra >> 2022-01-18T13:30:03Z DEBUG File >> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 18 >> 0, in execute >> return_value = self.run() >> File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", >> line 342, in run >> return cfgr.run() >> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", >> line 360, in run >> return self.execute() >> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", >> line 386, in execute >> for rval in self._executor(): >> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", >> line 431, in __runner >> exc_handler(exc_info) >> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", >> line 460, in _handle_execute_ex >> ception >> >> How could this be, with first master?? >> many thanks, L. >> _______________________________________________ >> > I've missed the following first time on that failing box: > -> $ ipa-server-install --uninstall > ... > If this server is the last instance of CA, > KRA, or DNSSEC master, uninstallation may result in data loss. > Are you sure you want to continue with the uninstall procedure? [no]: yes > Failed to get request: Criteria expected to be met by 1 request, got 2. > certmonger failed to stop tracking certificate: Criteria expected to be > met by 1 request, got 2. > Failed to get request: Criteria expected to be met by 1 request, got 2. > certmonger failed to stop tracking certificate: Criteria expected to be > met by 1 request, got 2. > Failed to get request: Criteria expected to be met by 1 request, got 2. > certmonger failed to stop tracking certificate: Criteria expected to be > met by 1 request, got 2. > Shutting down all IPA services > Failed to remove DS instance. No serverid present in sysrestore file. > Some certificates may still be tracked by certmonger. > This will cause re-installation to fail. > Start the certmonger service and list the certificates being tracked > # getcert list > These may be untracked by executing > # getcert stop-tracking -i <request_id> > for each id in: 20210709164208, 20210709164209, 20210709164210, > 20220116175552, 20220116175553, 20220116175554 > Removing IPA client configuration > The ipa-client-install command was successful > The ipa-server-install command was successful > > What that be symptom of and why would '--uninstall' not take care of > such case? (where never any CA management took place outside of IPA)
Because automatically removing certs and keys seems like a bad idea. It is perfectly acceptable for users to create additional certificates on an IPA server. This is a warning that there are leftovers that need to be examined by a human. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
