On 10/12/14 19:21, Jan Cholasta wrote:
Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a):
Dne 1.12.2014 v 16:48 Martin Basti napsal(a):
On 01/12/14 08:46, Jan Cholasta wrote:
Hi,
Dne 27.11.2014 v 14:24 Martin Basti napsal(a):
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Replaces current workaround. Should go to 4.1.3.
Patch attached.
When constructing URLs with host:port, please use
ipautil.format_netloc().
wget should be added as a dependency of freeipa-python in the spec
file.
Honza
Updated patch attached.
Thanks, ACK.
Pushed to:
master: 337faf506462a01c6dbcd00f2039ed5627691864
ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976
It turns out I messed up the review (sorry). This fixes the upgrade,
but it also breaks ipa-server-install:
2014-12-10T06:06:44Z DEBUG [8/27]: starting certificate server instance
2014-12-10T06:06:44Z DEBUG Starting external process
2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start'
'pki-tomcatd.target'
2014-12-10T06:06:45Z DEBUG Process finished, return code=0
2014-12-10T06:06:45Z DEBUG stdout=
2014-12-10T06:06:45Z DEBUG stderr=
2014-12-10T06:06:45Z DEBUG Starting external process
2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active'
'pki-tomcatd.target'
2014-12-10T06:06:45Z DEBUG Process finished, return code=0
2014-12-10T06:06:45Z DEBUG stdout=active
2014-12-10T06:06:45Z DEBUG stderr=
2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443]
timeout 300
2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on
local port
2014-12-10T06:06:49Z DEBUG Waiting until the CA is running
2014-12-10T06:06:49Z DEBUG Starting external process
2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-'
'--timeout=30'
'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus'
2014-12-10T06:07:09Z DEBUG Process finished, return code=5
2014-12-10T06:07:09Z DEBUG stdout=
2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49--
https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus
Resolving vm-088.idm.lab.bos.redhat.com
(vm-088.idm.lab.bos.redhat.com)... 10.16.78.88
Connecting to vm-088.idm.lab.bos.redhat.com
(vm-088.idm.lab.bos.redhat.com)|10.16.78.88|:8443... connected.
ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate,
issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’:
Self-signed certificate encountered.
To connect to vm-088.idm.lab.bos.redhat.com insecurely, use
`--no-check-certificate'.
2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted
I have reopened the ticket.
Patch with '--no-check-certificate' option attached. Before workaround
there was no certificate check, so it should not be problem if we ignore
the certificate.
Martin^2
--
Martin Basti
From 94ebe22c56bb311072e207e6380a5638bf422c82 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 11 Dec 2014 09:38:46 +0100
Subject: [PATCH] Fix don't check certificate during getting CA status
Due workaroud we accidentaly started to check certificate, which causes
problems during installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4676
---
ipaplatform/redhat/services.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 20d0adec421ecd3285464e2a51b9d5c61a0e3d92..8759cab76c7d72a3abbf935e7f15f7a32a0b6987 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -204,6 +204,7 @@ class RedHatCAService(RedHatService):
paths.BIN_WGET,
'-S', '-O', '-',
'--timeout=30',
+ '--no-check-certificate',
url
]
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
