Hi, the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4294>.
Honza -- Jan Cholasta
>From b0e3b7c855b517ef75abd3d9eac4d5db63ef4767 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Wed, 2 Apr 2014 10:28:00 +0200 Subject: [PATCH] Fix update_ca_renewal_master plugin on CA-less installs. This also fixes updates from ancient versions of IPA which did not have automatic CA subsystem certificate renewal. https://fedorahosted.org/freeipa/ticket/4294 --- ipaserver/install/plugins/ca_renewal_master.py | 79 +++++++++++++++++--------- 1 file changed, 53 insertions(+), 26 deletions(-) diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index 2481fa7..b2a7ba7 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -18,9 +18,10 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipaserver.install.plugins.baseupdate import PostUpdate +from ipaserver.install import installutils, certs, cainstance from ipalib import errors from ipalib.plugable import Registry -from ipapython import certmonger +from ipapython import certmonger, dogtag from ipapython.dn import DN register = Registry() @@ -32,6 +33,11 @@ class update_ca_renewal_master(PostUpdate): """ def execute(self, **options): + ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR) + if not ca.is_configured(): + self.debug("CA is not configured on this host") + return (False, False, []) + ldap = self.obj.backend base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) @@ -50,30 +56,51 @@ class update_ca_renewal_master(PostUpdate): ('cert_nickname', 'ipaCert', None), ) request_id = certmonger.get_request_id(criteria) - if request_id is None: - self.error("certmonger request for ipaCert not found") - return (False, False, []) - ca_name = certmonger.get_request_value(request_id, 'ca_name') - if ca_name is None: - self.error("certmonger request for ipaCert is missing ca_name") - return (False, False, []) - ca_name = ca_name.strip() + if request_id is not None: + self.debug("found certmonger request for ipaCert") - if ca_name == 'dogtag-ipa-renew-agent': - dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) - update = { - dn: { - 'dn': dn, - 'updates': ['add:ipaConfigString: caRenewalMaster'], - }, - } - return (False, True, [update]) - elif ca_name == 'dogtag-ipa-retrieve-agent-submit': - return (False, False, []) - elif ca_name == 'dogtag-ipa-ca-renew-agent': - return (False, False, []) + ca_name = certmonger.get_request_value(request_id, 'ca_name') + if ca_name is None: + self.warning( + "certmonger request for ipaCert is missing ca_name, " + "assuming local CA is renewal slave") + return (False, False, []) + ca_name = ca_name.strip() + + if ca_name == 'dogtag-ipa-renew-agent': + pass + elif ca_name == 'dogtag-ipa-retrieve-agent-submit': + return (False, False, []) + elif ca_name == 'dogtag-ipa-ca-renew-agent': + return (False, False, []) + else: + self.warning( + "certmonger request for ipaCert has unknown ca_name '%s', " + "assuming local CA is renewal slave", ca_name) + return (False, False, []) else: - self.warning( - "certmonger request for ipaCert has unknown ca_name \"%s\", " - "assuming local CA is renewal slave", ca_name) - return (False, False, []) + self.debug("certmonger request for ipaCert not found") + + config = installutils.get_directive( + dogtag.configured_constants().CS_CFG_PATH, + 'subsystem.select', '=') + + if config == 'New': + pass + elif config == 'Clone': + return (False, False, []) + else: + self.warning( + "CS.cfg has unknown subsystem.select value '%s', " + "assuming local CA is renewal slave", config) + return (False, False, []) + + dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) + update = { + dn: { + 'dn': dn, + 'updates': ['add:ipaConfigString: caRenewalMaster'], + }, + } + + return (False, True, [update]) -- 1.8.5.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
