Dne 8.6.2015 v 12:09 Jan Cholasta napsal(a):
Dne 8.6.2015 v 08:25 Jan Cholasta napsal(a):
Dne 5.6.2015 v 14:16 David Kupka napsal(a):
On 06/03/2015 05:49 PM, David Kupka wrote:


Updated patch attached.


ACK. The patch needed a rebase and there was a bug in
ipa-replica-install, I took care of both, see attachment.

Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034

There was also an unrelated problem in replicainstall.py which I also
fixed, see the other attachment.

Pushed to master under the one-liner rule:
e01095dfb33aaef0ab1babf86a71d70410b666ed

There are some more bugs in CA-less and external CA install, see the
attached patches for fixes.

Fixed an additional issue in patch 437, see attachment.

--
Jan Cholasta
>From bdcda90e2c0a202c94dff37a25bad3f6c97a16ee Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 8 Jun 2015 08:32:27 +0000
Subject: [PATCH 1/2] install: Fix CA-less server install

https://fedorahosted.org/freeipa/ticket/4468
---
 ipaserver/install/server/install.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 5be10f5..6f47723 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -313,6 +313,9 @@ def common_cleanup(func):
 
 @common_cleanup
 def install_check(options):
+    global dirsrv_pkcs12_file
+    global http_pkcs12_file
+    global pkinit_pkcs12_file
     global dirsrv_pkcs12_info
     global http_pkcs12_info
     global pkinit_pkcs12_info
@@ -637,6 +640,9 @@ def install_check(options):
 
 @common_cleanup
 def install(options):
+    global dirsrv_pkcs12_file
+    global http_pkcs12_file
+    global pkinit_pkcs12_file
     global dirsrv_pkcs12_info
     global http_pkcs12_info
     global pkinit_pkcs12_info
-- 
2.1.0

>From 9afc3ed81670025c83aae874d2d9cc2c98f54d96 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 8 Jun 2015 08:32:58 +0000
Subject: [PATCH 2/2] install: Fix external CA server install

https://fedorahosted.org/freeipa/ticket/4468
---
 ipaserver/install/ca.py             | 32 +++++++++++++++-----------------
 ipaserver/install/server/install.py |  7 ++++---
 2 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 8a8214c..1ef8b2c 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -25,9 +25,6 @@ def install_check(standalone, replica_config, options):
     host_name = options.host_name
     subject_base = options.subject
 
-    if replica_config is None and options.external_cert_files:
-        return
-
     if replica_config is not None:
         if standalone and api.env.ra_plugin == 'selfsign':
             sys.exit('A selfsign CA can not be added')
@@ -51,17 +48,7 @@ def install_check(standalone, replica_config, options):
     if standalone and api.Command.ca_is_enabled()['result']:
         sys.exit("CA is already installed.\n")
 
-    if options.external_ca:
-        if cainstance.is_step_one_done():
-            print("CA is already installed.\nRun the installer with "
-                  "--external-cert-file.")
-            sys.exit(1)
-        if ipautil.file_exists(paths.ROOT_IPA_CSR):
-            print("CA CSR file %s already exists.\nIn order to continue "
-                  "remove the file and run the installer again." %
-                  paths.ROOT_IPA_CSR)
-            sys.exit(1)
-    elif options.external_cert_files:
+    if options.external_cert_files:
         if not cainstance.is_step_one_done():
             # This can happen if someone passes external_ca_file without
             # already having done the first stage of the CA install.
@@ -72,10 +59,21 @@ def install_check(standalone, replica_config, options):
 
         external_cert_file, external_ca_file = installutils.load_external_cert(
             options.external_cert_files, options.subject)
+    elif options.external_ca:
+        if cainstance.is_step_one_done():
+            print("CA is already installed.\nRun the installer with "
+                  "--external-cert-file.")
+            sys.exit(1)
+        if ipautil.file_exists(paths.ROOT_IPA_CSR):
+            print("CA CSR file %s already exists.\nIn order to continue "
+                  "remove the file and run the installer again." %
+                  paths.ROOT_IPA_CSR)
+            sys.exit(1)
 
-    if not cainstance.check_port():
-        print ("IPA requires port 8443 for PKI but it is currently in use.")
-        sys.exit("Aborting installation")
+    if not options.external_cert_files:
+        if not cainstance.check_port():
+            print("IPA requires port 8443 for PKI but it is currently in use.")
+            sys.exit("Aborting installation")
 
     if standalone:
         dirname = dsinstance.config_dirname(
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 6f47723..faa9612 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -422,8 +422,6 @@ def install_check(options):
         # Make sure the 389-ds ports are available
         check_dirsrv(options.unattended)
 
-    ca.install_check(False, None, options)
-
     if options.conf_ntp:
         try:
             ipaclient.ntpconf.check_timedate_services()
@@ -578,6 +576,9 @@ def install_check(options):
     else:
         admin_password = options.admin_password
 
+    if setup_ca:
+        ca.install_check(False, None, options)
+
     if setup_kra:
         try:
             kra.install_check(None, options, False,
@@ -760,7 +761,7 @@ def install(options):
             options.subject, 1101, 1100, None)
 
     if setup_ca:
-        if options.external_ca:
+        if not options.external_cert_files and options.external_ca:
             # stage 1 of external CA installation
             options.realm_name = realm_name
             options.domain_name = domain_name
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to