On 10/12/14 19:21, Jan Cholasta wrote:
Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a):
Dne 1.12.2014 v 16:48 Martin Basti napsal(a):
On 01/12/14 08:46, Jan Cholasta wrote:

Dne 27.11.2014 v 14:24 Martin Basti napsal(a):
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Replaces current workaround. Should go to 4.1.3.
Patch attached.

When constructing URLs with host:port, please use

wget should be added as a dependency of freeipa-python in the spec file.


Updated patch attached.

Thanks, ACK.

Pushed to:
master: 337faf506462a01c6dbcd00f2039ed5627691864
ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976

It turns out I messed up the review (sorry). This fixes the upgrade, but it also breaks ipa-server-install:

2014-12-10T06:06:44Z DEBUG   [8/27]: starting certificate server instance
2014-12-10T06:06:44Z DEBUG Starting external process
2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd.target'
2014-12-10T06:06:45Z DEBUG Process finished, return code=0
2014-12-10T06:06:45Z DEBUG stdout=
2014-12-10T06:06:45Z DEBUG stderr=
2014-12-10T06:06:45Z DEBUG Starting external process
2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd.target'
2014-12-10T06:06:45Z DEBUG Process finished, return code=0
2014-12-10T06:06:45Z DEBUG stdout=active

2014-12-10T06:06:45Z DEBUG stderr=
2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on local port
2014-12-10T06:06:49Z DEBUG Waiting until the CA is running
2014-12-10T06:06:49Z DEBUG Starting external process
2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus'
2014-12-10T06:07:09Z DEBUG Process finished, return code=5
2014-12-10T06:07:09Z DEBUG stdout=
2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49-- https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus Resolving vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)... Connecting to vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)||:8443... connected. ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate, issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’:
  Self-signed certificate encountered.
To connect to vm-088.idm.lab.bos.redhat.com insecurely, use `--no-check-certificate'.

2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted

I have reopened the ticket.

Patch with '--no-check-certificate' option attached. Before workaround there was no certificate check, so it should not be problem if we ignore the certificate.

Martin Basti

From 94ebe22c56bb311072e207e6380a5638bf422c82 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 11 Dec 2014 09:38:46 +0100
Subject: [PATCH] Fix don't check certificate during getting CA status

Due workaroud we accidentaly started to check certificate, which causes
problems during installation.

Ticket: https://fedorahosted.org/freeipa/ticket/4676
 ipaplatform/redhat/services.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 20d0adec421ecd3285464e2a51b9d5c61a0e3d92..8759cab76c7d72a3abbf935e7f15f7a32a0b6987 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -204,6 +204,7 @@ class RedHatCAService(RedHatService):
                     '-S', '-O', '-',
+                    '--no-check-certificate',

Freeipa-devel mailing list

Reply via email to