Dne 5.9.2014 v 12:05 Petr Viktorin napsal(a):
On 09/03/2014 06:35 PM, Jan Cholasta wrote:
Hi,
the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4166>.
Honza
ACK
Neither patch applies to 4.1, though. Could you send a version for that
as well?
Sure.
--
Jan Cholasta
>From 422d73c10d6a27793724170ae3599fd9838d6f17 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 3 Sep 2014 15:04:35 +0200
Subject: [PATCH] Backup CS.cfg before modifying it
https://fedorahosted.org/freeipa/ticket/4166
---
install/tools/ipa-upgradeconfig | 1 +
ipaserver/install/cainstance.py | 21 +++++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 90dfa6c..983f6cf 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1145,6 +1145,7 @@ def main():
sub_dict['SUBJECT_BASE'] = subject_base
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+ ca.backup_config()
# migrate CRL publish dir before the location in ipa.conf is updated
ca_restart = migrate_crl_publish_dir(ca)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 0ba46f2..2a50ad0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -455,6 +455,7 @@ class CAInstance(service.Service):
self.step("creating pki-ca instance", self.create_instance)
self.step("configuring certificate server instance", self.__configure_instance)
self.step("stopping certificate server instance to update CS.cfg", self.__stop)
+ self.step("backing up CS.cfg", self.backup_config)
self.step("disabling nonces", self.__disable_nonce)
self.step("set up CRL publishing", self.__enable_crl_publish)
self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
@@ -818,6 +819,12 @@ class CAInstance(service.Service):
root_logger.debug(traceback.format_exc())
root_logger.critical("Failed to restart the certificate server. See the installation log for details.")
+ def backup_config(self):
+ try:
+ backup_config(self.dogtag_constants)
+ except Exception, e:
+ root_logger.warning("Failed to backup CS.cfg: %s", e)
+
def __disable_nonce(self):
# Turn off Nonces
update_result = installutils.update_file(
@@ -1822,6 +1829,16 @@ def install_replica_ca(config, postinstall=False):
return ca
+def backup_config(dogtag_constants=None):
+ """
+ Create a backup copy of CS.cfg
+ """
+ if dogtag_constants is None:
+ dogtag_constants = dogtag.configured_constants()
+
+ shutil.copy(dogtag_constants.CS_CFG_PATH,
+ dogtag_constants.CS_CFG_PATH + '.ipabkp')
+
def update_cert_config(nickname, cert, dogtag_constants=None):
"""
When renewing a CA subsystem certificate the configuration file
@@ -1843,6 +1860,10 @@ def update_cert_config(nickname, cert, dogtag_constants=None):
with stopped_service(dogtag_constants.SERVICE_NAME,
instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+ try:
+ backup_config(dogtag_constants)
+ except Exception, e:
+ syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
directives[nickname],
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel