On 11/12/2012 12:21 PM, Petr Viktorin wrote:
On 11/08/2012 11:10 PM, Rob Crittenden wrote:


This may not be a new problem specific to this, I'm not sure yet, but
uninstall doesn't untrack all the certificates in the new tomcat
directory. It also seems to miss the ipaCert alias in httpd (my
post-install check caught only this one).

I'll look into this.

You're right. For some reason the cert untracking was part of the PKI DS uninstall step, so it didn't run on new installs. Also, the post-install check used configured_constants after the uninstallation unconfigured everything.

Fix attached.

It may also be helpful to combine all the required patches up to this
point into a single post, sort of a "we're ready for broader testing
checkpoint". Sifting through this long thread finding all the various
patches was tedious. I sure wouldn't want to actually push what I culled
because I'm not 100% sure I got them all.

Attached.


For convenience, I've also pushed the changes to a personal repository. To fetch to branch "pviktori-dogtag-10" you can do:

git fetch -f git://github.com/encukou/freeipa.git dogtag-10:pviktori-dogtag-10

(It's a WIP branch. I will be rebasing it. You might need --force when pulling. Let the Git gods have mercy on my soul.)

--
PetrĀ³
From 56ef6326a0f3b8e35c219daa21b696dab5c52c1f Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Mon, 12 Nov 2012 09:49:46 -0500
Subject: [PATCH] Properly stop tracking certificates on uninstall

Stopping certificate tracking was done as part of the PKI DS uninstall.
Since with the merged DB, thePKI DS is not used any more, this step
was skipped.
Move certificate untracking to a separate step and call it separately.

Also, the post-uninstall check for tracked certificates used the wrong
set of Dogtag constants. Fix the issue.
---
 install/tools/ipa-server-install |    5 +++--
 ipaserver/install/cainstance.py  |   38 +++++++++++++++++++++++---------------
 2 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 3e5d9a9d4ac906c59b76d72c7208d1858af94645..35b65f66229345255eae233f64d24b0fea3cdf1d 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -482,11 +482,12 @@ def uninstall():
         print "ipa-client-install returned: " + str(e)
 
     ntpinstance.NTPInstance(fstore).uninstall()
-    if not dogtag.install_constants.SHARED_DB:
+    if not dogtag_constants.SHARED_DB:
         cads_instance = cainstance.CADSInstance(
             dogtag_constants=dogtag_constants)
         if cads_instance.is_configured():
             cads_instance.uninstall()
+    cainstance.stop_tracking_certificates(dogtag_constants)
     ca_instance = cainstance.CAInstance(
         api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
     if ca_instance.is_configured():
@@ -534,7 +535,7 @@ def uninstall():
 
     # Note that this name will be wrong after the first uninstall.
     dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
-    dirs = [dirname, dogtag.configured_constants().ALIAS_DIR, certs.NSS_DIR]
+    dirs = [dirname, dogtag_constants.ALIAS_DIR, certs.NSS_DIR]
     ids = certmonger.check_state(dirs)
     if ids:
         root_logger.error('Some certificates may still be tracked by certmonger.\nThis will cause re-installation to fail.\nStart the certmonger service and list the certificates being tracked\n # getcert list\nThese may be untracked by executing\n # getcert stop-tracking -i <request_id>\nfor each id in: %s' % ', '.join(ids))
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 176a7b10289162026edcb8fe18dd01c16e528e5b..f459a96b0c62b34b7353d32207ceecfe84f94e91 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -436,25 +436,33 @@ class CADSInstance(service.Service):
         # At one time we removed this user on uninstall. That can potentially
         # orphan files, or worse, if another useradd runs in the intermim,
         # cause files to have a new owner.
-        cmonger = ipaservices.knownservices.certmonger
-        ipaservices.knownservices.messagebus.start()
-        cmonger.start()
 
-        for nickname in ['Server-Cert cert-pki-ca',
-                         'auditSigningCert cert-pki-ca',
-                         'ocspSigningCert cert-pki-ca',
-                         'subsystemCert cert-pki-ca']:
-            try:
-                certmonger.stop_tracking(
-                    self.dogtag_constants.ALIAS_DIR, nickname=nickname)
-            except (ipautil.CalledProcessError, RuntimeError), e:
-                root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
 
+def stop_tracking_certificates(dogtag_constants):
+    """Stop tracking our certificates. Called on uninstall.
+    """
+    cmonger = ipaservices.knownservices.certmonger
+    ipaservices.knownservices.messagebus.start()
+    cmonger.start()
+
+    for nickname in ['Server-Cert cert-pki-ca',
+                        'auditSigningCert cert-pki-ca',
+                        'ocspSigningCert cert-pki-ca',
+                        'subsystemCert cert-pki-ca']:
         try:
-            certmonger.stop_tracking('/etc/httpd/alias', nickname='ipaCert')
+            certmonger.stop_tracking(
+                dogtag_constants.ALIAS_DIR, nickname=nickname)
         except (ipautil.CalledProcessError, RuntimeError), e:
-            root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
-        cmonger.stop()
+            root_logger.error(
+                "certmonger failed to stop tracking certificate: %s" % str(e))
+
+    try:
+        certmonger.stop_tracking('/etc/httpd/alias', nickname='ipaCert')
+    except (ipautil.CalledProcessError, RuntimeError), e:
+        root_logger.error(
+            "certmonger failed to stop tracking certificate: %s" % str(e))
+    cmonger.stop()
+
 
 class CAInstance(service.Service):
     """
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to