Uninstall with externally-signed CA leaves/root/.dogtag/pki-tomcat/ca (@pki/master)

[flo-renaud]

Test scenario:

• enable the copr repos @pki/master and @freeipa/freeipa-master-nightly, install freeipa-server-dns
• do the first step of IPA installation with an externally-signed CA: ipa-server-install -n ipa.test -r IPA.TEST -a Secret123 -p Secret123 --setup-dns --forwarder 10.11.5.160 --external-ca --external-ca-type=ms-cs --external-ca-profile=1.2.3.4:100 -U
• call uninstall because you realize the wrong profile was used: ipa-server-install --uninstall -U
• The directory /root/.dogtag/pki-tomcat/ca is still present and contains left-overs:

# ls /root/.dogtag/pki-tomcat/ca
alias  password.conf  pkcs12_password.conf

• re-do the first step of IPA installation with a different profile: ipa-server-install -n ipa.test -r IPA.TEST -a Secret123 -p Secret123 --setup-dns --forwarder 10.11.5.160 --external-ca --external-ca-type=ms-cs --external-ca-profile=1.2.3.4:200 -U
  The installation fails because the directory /root/.dogtag/pki-tomcat/ca already exists:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/16]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Content of /var/log/ipaserver-install.log:

INFO: Storing registry config: /var/lib/pki/pki-tomcat/conf/ca/registry.cfg
DEBUG: Command: mkdir /root/.dogtag/pki-tomcat/ca
ERROR: FileExistsError: [Errno 17] File exists: '/root/.dogtag/pki-tomcat/ca'
  File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 594, in main
    deployer.spawn()
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 5798, in spawn
    scriptlet.spawn(self)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 46, in spawn
    deployer.init_client_nssdb()
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 972, in init_client_nssdb
    pki.util.makedirs(
  File "/usr/lib/python3.12/site-packages/pki/util.py", line 118, in makedirs
    os.makedirs(path, mode=mode, exist_ok=exist_ok)
  File "<frozen os>", line 225, in makedirs

Reproduced on fedora 40 with dogtag-pki-ca-11.6.0-0.1.alpha1.20241012013218UTC.34150e16.fc40.noarch

[flo-renaud]

Linked to https://issues.redhat.com/browse/RHEL-75970, the problem also happens on RHEL 10.0 and 9.6

[edewata]

I think this issue was fixed recently in d7540ac. Could you try again? Thanks.

[flo-renaud]

Hi @edewata
tested with dogtag-pki-server-11.6.0-0.3.alpha3.20250205200539UTC.f1f894af.fc41.noarch and works now, thanks.

$ git log --pretty=ref
f1f894af99 (Fix missing sys.exit() in pki-server, 2025-02-05)     <---- tested version
cd0daf6157 (Update pkispawn to verify admin cert, 2025-02-03)
57387d8784 (Add PKCS12.get_cert(), 2025-02-04)
e4cfd4c6a1 (Add pki pkcs12-cert-export --cert-format, 2025-02-04)
d7540acbc6 (Update PKIDeployer.init_client_nssdb(), 2025-02-04)     <---- patch
d1c5850bd1 (Update pki.nssdb.convert_data(), 2025-02-04)
...

[edewata]

Thanks!