On 18/01/2022 13:36, lejeczek via FreeIPA-users wrote: > Hi guys, > > That's new, well, I've never seen it. I got on a replica candidate so > I thought I'd make a first new master and yet: > > -> $ ipa-server-install --setup-dns --setup-kra --no-forwarders > --idstart=57400000 --admin-password=diradm --ds-password=dirsrv > --enable-compat --setup-adtrust > ... >   [6/9]: configure certificate renewals >   [error] DBusException: org.fedorahosted.certmonger.duplicate: > Certificate at same location is already used by request with nickname > "20210709164208". > org.fedorahosted.certmonger.duplicate: Certificate at same location is > already used by request with nickname "20210709164208". > The ipa-server-install command failed. See > /var/log/ipaserver-install.log for more information > > in log file: > ... > 2022-01-18T13:30:02Z DEBUG   [6/9]: configure certificate renewals > 2022-01-18T13:30:02Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > 2022-01-18T13:30:03Z DEBUG Traceback (most recent call last): >   File > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line > 635, in start_creation >     run_step(full_msg, method) >   File > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line > 621, in run_step >     method() >   File > "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line > 486, in configur > e_renewal >     profile=self.tracking_reqs[nickname], >   File > "/usr/lib/python3.6/site-packages/ipalib/install/certmonger.py", line > 576, in start_tracking >     result = cm.obj_if.add_request(params) >   File "/usr/lib64/python3.6/site-packages/dbus/proxies.py", line 145, > in __call__ >     **keywords) >   File "/usr/lib64/python3.6/site-packages/dbus/connection.py", line > 651, in call_blocking >     message, timeout) > dbus.exceptions.DBusException: org.fedorahosted.certmonger.duplicate: > Certificate at same location i > s already used by request with nickname "20210709164208". > > 2022-01-18T13:30:03Z DEBUG   [error] DBusException: > org.fedorahosted.certmonger.duplicate: Certifica > te at same location is already used by request with nickname > "20210709164208". > 2022-01-18T13:30:03Z DEBUG Removing /var/lib/ipa/tmp-brry92se > 2022-01-18T13:30:03Z DEBUG Removing /root/.dogtag/pki-tomcat/kra > 2022-01-18T13:30:03Z DEBUG   File > "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 18 > 0, in execute >     return_value = self.run() >   File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", > line 342, in run >     return cfgr.run() >   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 360, in run >     return self.execute() >   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 386, in execute >     for rval in self._executor(): >   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 431, in __runner >     exc_handler(exc_info) >   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 460, in _handle_execute_ex > ception > > How could this be, with first master?? > many thanks, L. > _______________________________________________ > I've missed the following first time on that failing box: -> $ ipa-server-install --uninstall ... If this server is the last instance of CA, KRA, or DNSSEC master, uninstallation may result in data loss. Are you sure you want to continue with the uninstall procedure? [no]: yes Failed to get request: Criteria expected to be met by 1 request, got 2. certmonger failed to stop tracking certificate: Criteria expected to be met by 1 request, got 2. Failed to get request: Criteria expected to be met by 1 request, got 2. certmonger failed to stop tracking certificate: Criteria expected to be met by 1 request, got 2. Failed to get request: Criteria expected to be met by 1 request, got 2. certmonger failed to stop tracking certificate: Criteria expected to be met by 1 request, got 2. Shutting down all IPA services Failed to remove DS instance. No serverid present in sysrestore file. Some certificates may still be tracked by certmonger. This will cause re-installation to fail. Start the certmonger service and list the certificates being tracked  # getcert list These may be untracked by executing  # getcert stop-tracking -i <request_id> for each id in: 20210709164208, 20210709164209, 20210709164210, 20220116175552, 20220116175553, 20220116175554 Removing IPA client configuration The ipa-client-install command was successful The ipa-server-install command was successful What that be symptom of and why would '--uninstall' not take care of such case? (where never any CA management took place outside of IPA)