If uninstall fails in certain ways it is possible that some certificates could still be tracked by certmonger (even if the NSS database is now gone). This will loop through the directories we care about and warn the user if there is anything left over.

I added some basic test instructions to the ticket.

>From 258f629e0dc01e319764ab5e120bcfab848767ae Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 23 Oct 2012 16:31:37 -0400
Subject: [PATCH] After unininstall see if certmonger is still tracking any of
 our certs.

Rather than providing a list of nicknames I'm going to look at the NSS
databases directly. Anything in there is suspect and this will help
future-proof us.

certmonger may be tracking other certificates but we only care about
a subset of them, so don't complain if there are other tracked certificates.

This reads the certmonger files directly so the service doesn't need
to be started.

 install/tools/ipa-server-install | 10 +++++++++-
 ipapython/certmonger.py          | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cc25fb85500b6a97e71c822a882cf6f2aca4f0a0..3b03357185b6f8ff3a13db163a716ce79e7e5bfe 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -52,6 +52,7 @@ from ipaserver.install import sysupgrade
 from ipaserver.install import service, installutils
 from ipapython import version
+from ipapython import certmonger
 from ipaserver.install.installutils import *
 from ipaserver.plugins.ldap2 import ldap2
@@ -527,7 +528,14 @@ def uninstall():
             rv = 1
     if has_state:
-        root_logger.warning('Some installation state has not been restored.\nThis will cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.')
+        root_logger.error('Some installation state has not been restored.\nThis may cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.')
+    # Note that this name will be wrong after the first uninstall.
+    dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
+    dirs = [dirname, dogtag.configured_constants().ALIAS_DIR, certs.NSS_DIR]
+    ids = certmonger.check_state(dirs)
+    if ids:
+        root_logger.error('Some certificates may still be tracked by certmonger.\nThis will cause re-installation to fail.\nStart the certmonger service and list the certificates being tracked\n # getcert list\nThese may be untracked by executing\n # getcert stop-tracking -i <request_id>\nfor each id in: %s' % ', '.join(ids))
     return rv
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 9cc4466c61108a863eb76b1ff67bef559a9228d0..f823a6deccbae8dcabc23867bbe90b56fbbb390a 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -114,6 +114,24 @@ def get_request_id(criteria):
     return reqid
+def get_requests_for_dir(dir):
+    """
+    Return a list containing the request ids for a given NSS database
+    directory.
+    """
+    reqid=[]
+    fileList=os.listdir(REQUEST_DIR)
+    for file in fileList:
+        rv = find_request_value('%s/%s' % (REQUEST_DIR, file),
+                                'cert_storage_location')
+        if rv:
+            rv = os.path.abspath(rv)
+        if rv.rstrip() == dir:
+            reqid.append(find_request_value('%s/%s' % (REQUEST_DIR, file), 'id').rstrip())
+    return reqid
 def add_request_value(request_id, directive, value):
     Add a new directive to a certmonger request file.
@@ -393,6 +411,21 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
     (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])
+def check_state(dirs):
+    """
+    Given a set of directories and nicknames verify that we are no longer
+    tracking certificates.
+    dirs is a list of directories to test for. We will return a tuple
+    of nicknames for any tracked certificates found.
+    This can only check for NSS-based certificates.
+    """
+    reqids = []
+    for dir in dirs:
+        reqids.extend(get_requests_for_dir(dir))
+    return reqids
 if __name__ == '__main__':
     request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example....@example.com")

Freeipa-devel mailing list

Reply via email to