On 10/29/2012 04:48 PM, Petr Viktorin wrote:
On 10/26/2012 02:25 PM, Petr Viktorin wrote:
On 10/26/2012 02:20 PM, Petr Viktorin wrote:
Attached are this thread's patches rebased and squashed into one.


... and here is a patch to address replication problems related to
merging the schemata of the IPA and CA databases. See the commit message
for details.

https://fedorahosted.org/freeipa/ticket/3213


With the previous patch, if an old split-database DT9 CA was inatalled,
ipa-ca-install didn't detect this, started installing another CA, and
then failed a bit later in the process.

I've added a check for this to the patch.



Two more modifications are needed to support installing a CA on an old replica. See commit messages for details. Here is the first one.


--
PetrĀ³
From f9afe21a6389a97bc642522f2217a995e1a2ecec Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 31 Oct 2012 10:37:33 -0400
Subject: [PATCH] Use correct Dogtag configuration in get_pin and
 get_ca_certchain

Some install utilities used Dogtag configuration before Dogtag
was configured. Fix by passing the relevant dogtag_constants
where they're needed.
---
 ipapython/certmonger.py         |    6 ++++--
 ipapython/dogtag.py             |    6 ++++--
 ipaserver/install/cainstance.py |   26 +++++++++++++-------------
 3 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 9cc4466c61108a863eb76b1ff67bef559a9228d0..445165dfb9498e7f3ffe682a7489158246bf1514 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -332,13 +332,15 @@ def remove_principal_from_cas():
         fp.close()
 
 # Routines specific to renewing dogtag CA certificates
-def get_pin(token):
+def get_pin(token, dogtag_constants=None):
     """
     Dogtag stores its NSS pin in a file formatted as token:PIN.
 
     The caller is expected to handle any exceptions raised.
     """
-    with open(dogtag.configured_constants().PASSWORD_CONF_PATH, 'r') as f:
+    if dogtag_constants is None:
+        dogtag_constants = dogtag.configured_constants()
+    with open(dogtag_constants.PASSWORD_CONF_PATH, 'r') as f:
         for line in f:
             (tok, pin) = line.split('=', 1)
             if token == tok:
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 067a66afbcca805c1a967bc85d2da89f317d4f50..1b428d20e7eb80225470449eece88c6d6fc01989 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -149,15 +149,17 @@ def error_from_xml(doc, message_template):
         return errors.RemoteRetrieveError(reason=message_template % e)
 
 
-def get_ca_certchain(ca_host=None):
+def get_ca_certchain(ca_host=None, dogtag_constants=None):
     """
     Retrieve the CA Certificate chain from the configured Dogtag server.
     """
     if ca_host is None:
         ca_host = api.env.ca_host
+    if dogtag_constants is None:
+        dogtag_constants = configured_constants()
     chain = None
     conn = httplib.HTTPConnection(ca_host,
-        api.env.ca_install_port or configured_constants().UNSECURE_PORT)
+        api.env.ca_install_port or dogtag_constants.UNSECURE_PORT)
     conn.request("GET", "/ca/ee/ca/getCertChain")
     res = conn.getresponse()
     doc = None
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 83752579dab0ad9075b93047b8b9a7699f967405..10c68fb754e7521da3d5632a13f51140c81f510c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1087,7 +1087,8 @@ class CAInstance(service.Service):
 
     def __get_ca_chain(self):
         try:
-            return dogtag.get_ca_certchain(ca_host=self.fqdn)
+            return dogtag.get_ca_certchain(ca_host=self.fqdn,
+                dogtag_constants=self.dogtag_constants)
         except Exception, e:
             raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
 
@@ -1383,11 +1384,16 @@ class CAInstance(service.Service):
         with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd:
             fd.write(template)
 
+    def __get_ca_pin(self):
+        try:
+            return certmonger.get_pin('internal',
+                dogtag_constants=self.dogtag_constants)
+        except IOError, e:
+            raise RuntimeError(
+                'Unable to determine PIN for CA instance: %s' % str(e))
+
     def track_servercert(self):
-        try:
-            pin = certmonger.get_pin('internal')
-        except IOError, e:
-            raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
+        pin = self.__get_ca_pin()
         certmonger.dogtag_start_tracking(
             'dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None,
             self.dogtag_constants.ALIAS_DIR,
@@ -1399,10 +1405,7 @@ class CAInstance(service.Service):
         ipaservices.knownservices.messagebus.start()
         cmonger.start()
 
-        try:
-            pin = certmonger.get_pin('internal')
-        except IOError, e:
-            raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
+        pin = self.__get_ca_pin()
 
         # Server-Cert cert-pki-ca is renewed per-server
         for nickname in ['auditSigningCert cert-pki-ca',
@@ -1445,10 +1448,7 @@ class CAInstance(service.Service):
         certificate is available. If it is then it gets installed.
         """
 
-        try:
-            pin = certmonger.get_pin('internal')
-        except IOError, e:
-            raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
+        pin = self.__get_ca_pin()
 
         # Server-Cert cert-pki-ca is renewed per-server
         for nickname in ['auditSigningCert cert-pki-ca',
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to