Patch attached.

Dne 2.9.2014 v 09:03 Jan Cholasta napsal(a):
Also, Dogtag certificate renewal does not work with internaldb removed,
I'm working on a patch to fix that.

Dne 1.9.2014 v 18:19 Petr Viktorin napsal(a):
On 11/06/2013 01:41 PM, Ana Krivokapic wrote:
On 11/06/2013 01:34 PM, Ana Krivokapic wrote:
Hello,

This patch addresses
tickethttps://fedorahosted.org/freeipa/ticket/4005.

I tried installing a replica with this patch applied to the 4.1 branch,
but ipa-ca-install fails with:

2014-09-01T16:12:58Z DEBUG stderr=pkispawn    : ERROR    .......
Exception from Java Configuration Servlet: Failed to obtain
configuration entries from the master for cloning
org.xml.sax.SAXParseException; Premature end of file.

The pkispawn log ends with:

2014-09-01 18:12:35 pkispawn    : INFO     ... configuring
'pki.server.deployment.scriptlets.configuration'
2014-09-01 18:12:35 pkispawn    : INFO     ....... mkdir -p
/root/.dogtag/pki-tomcat/ca
2014-09-01 18:12:35 pkispawn    : DEBUG    ........... chmod 755
/root/.dogtag/pki-tomcat/ca
2014-09-01 18:12:35 pkispawn    : DEBUG    ........... chown 0:0
/root/.dogtag/pki-tomcat/ca
2014-09-01 18:12:35 pkispawn    : INFO     ....... generating
'/root/.dogtag/pki-tomcat/ca/password.conf'
2014-09-01 18:12:35 pkispawn    : INFO     ....... modifying
'/root/.dogtag/pki-tomcat/ca/password.conf'
2014-09-01 18:12:35 pkispawn    : DEBUG    ........... chmod 660
/root/.dogtag/pki-tomcat/ca/password.conf
2014-09-01 18:12:35 pkispawn    : DEBUG    ........... chown 0:0
/root/.dogtag/pki-tomcat/ca/password.conf
2014-09-01 18:12:35 pkispawn    : INFO     ....... generating
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2014-09-01 18:12:35 pkispawn    : INFO     ....... modifying
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2014-09-01 18:12:35 pkispawn    : DEBUG    ........... chmod 660
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-09-01 18:12:35 pkispawn    : DEBUG    ........... chown 498:498
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-09-01 18:12:35 pkispawn    : INFO     ....... executing 'certutil
-N -d /tmp/tmp-yRUhk2 -f /root/.dogtag/pki-tomcat/ca/password.conf'
2014-09-01 18:12:35 pkispawn    : INFO     ....... executing 'systemctl
daemon-reload'
2014-09-01 18:12:35 pkispawn    : INFO     ....... executing 'systemctl
start pki-tomcatd@pki-tomcat.service'
2014-09-01 18:12:35 pkispawn    : DEBUG    ........... No connection -
server may still be down
2014-09-01 18:12:35 pkispawn    : DEBUG    ........... No connection -
exception thrown:
HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com',
port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus
(Caused by <class 'socket.error'>: [Errno 111] Connection refused)
2014-09-01 18:12:36 pkispawn    : DEBUG    ........... No connection -
server may still be down
2014-09-01 18:12:36 pkispawn    : DEBUG    ........... No connection -
exception thrown:
HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com',
port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus
(Caused by <class 'socket.error'>: [Errno 111] Connection refused)
2014-09-01 18:12:37 pkispawn    : DEBUG    ........... No connection -
server may still be down
2014-09-01 18:12:37 pkispawn    : DEBUG    ........... No connection -
exception thrown:
HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com',
port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus
(Caused by <class 'socket.error'>: [Errno 111] Connection refused)
2014-09-01 18:12:38 pkispawn    : DEBUG    ........... No connection -
server may still be down
2014-09-01 18:12:38 pkispawn    : DEBUG    ........... No connection -
exception thrown:
HTTPSConnectionPool(host='vm-234.idm.lab.eng.brq.redhat.com',
port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus
(Caused by <class 'socket.error'>: [Errno 111] Connection refused)
2014-09-01 18:12:51 pkispawn    : DEBUG    ........... <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.1.1-1.fc20</Version></XMLResponse>


2014-09-01 18:12:52 pkispawn    : INFO     ....... constructing PKI
configuration data.
2014-09-01 18:12:52 pkispawn    : INFO     ....... configuring PKI
configuration data.
2014-09-01 18:12:58 pkispawn    : ERROR    ....... Exception from Java
Configuration Servlet: Failed to obtain configuration entries from the
master for cloning org.xml.sax.SAXParseException; Premature end of file.
2014-09-01 18:12:58 pkispawn    : DEBUG    ....... Error Type: HTTPError
2014-09-01 18:12:58 pkispawn    : DEBUG    ....... Error Message: 500
Server Error: Internal Server Error
2014-09-01 18:12:58 pkispawn    : DEBUG    .......   File
"/usr/sbin/pkispawn", line 463, in main
     rv = instance.spawn(deployer)
   File
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py",

line 126, in spawn
     json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
   File
"/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3194, in configure_pki_data
     response = client.configure(data)
   File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in
configure
     r = self.connection.post('/rest/installer/configure', data, headers)
   File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in
post
     r.raise_for_status()
   File "/usr/lib/python2.7/site-packages/requests/models.py", line 683,
in raise_for_status
     raise HTTPError(http_error_msg, response=self)


Ade, do you have any idea what might be going wrong?






--
Jan Cholasta
>From 2401ba0c6a5175206a2c09ae8491ac9ea6fb2b91 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 2 Sep 2014 11:28:16 +0200
Subject: [PATCH] Use autobind when updating CA people entries during
 certificate renewal

Requires fix for <https://bugzilla.redhat.com/show_bug.cgi?id=1122110>, bump
selinux-policy in the spec file.

https://fedorahosted.org/freeipa/ticket/4005
---
 freeipa.spec.in                 |  2 +-
 ipaserver/install/cainstance.py | 14 +++-----------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7c354cd..4b57d28 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -108,7 +108,7 @@ Requires: dbus-python
 Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-176
+Requires: selinux-policy >= 3.12.1-179
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.47.7
 Requires: pki-ca >= 10.1.1
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3d0895a..b0e6bc5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1802,23 +1802,15 @@ def update_people_entry(dercert):
     issuer = x509.get_issuer(dercert, datatype=x509.DER)
 
     attempts = 0
-    configured_constants = dogtag.configured_constants(api)
-    dogtag_uri = 'ldap://localhost:%d' % configured_constants.DS_PORT
+    server_id = dsinstance.realm_to_serverid(api.env.realm)
+    dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
     updated = False
 
-    try:
-        dm_password = certmonger.get_pin('internaldb')
-    except IOError, e:
-        syslog.syslog(
-            syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
-        return False
-
     while attempts < 10:
         conn = None
         try:
             conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
-            conn.connect(
-                bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
+            conn.connect(autobind=True)
 
             filter = conn.make_filter(
                 {'description': ';%s;%s' % (issuer, subject)},
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to