Check if cafile exists first, before using it. Patch attached.
-- Martin Basti
From 155b8d6ebe452ddd69cf94a2fb38d5420a9a3c11 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 30 Jun 2015 12:16:56 +0200 Subject: [PATCH] Sanitize CA replica install Check if cafile exist first. https://fedorahosted.org/freeipa/ticket/4468 --- ipaserver/install/server/replicainstall.py | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 4fe7e1f78388901b3cc4e9dc0c2046a193dcfa94..734450d8dd907b065921502f09ed10040b53399e 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -391,6 +391,9 @@ def install_check(installer): installutils.verify_fqdn(config.master_host_name, options.no_host_dns) cafile = config.dir + "/ca.crt" + if not ipautil.file_exists(cafile): + raise RuntimeError("CA cert file is not available. Please run " + "ipa-replica-prepare to create a new replica file.") ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) remote_api = create_api(mode=None) @@ -516,10 +519,6 @@ def install_check(installer): config.master_host_name, config.host_name, config.realm_name, options.setup_ca, config.ca_ds_port, options.admin_password) - if not ipautil.file_exists(cafile): - raise RuntimeError("CA cert file is not available. Please run " - "ipa-replica-prepare to create a new replica file.") - installer._remote_api = remote_api installer._fstore = fstore installer._sstore = sstore @@ -580,15 +579,14 @@ def install(installer): otpd.create_instance('OTPD', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) - if ipautil.file_exists(cafile): - CA = cainstance.CAInstance( - config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) - CA.dm_password = config.dirman_password + CA = cainstance.CAInstance( + config.realm_name, certs.NSS_DIR, + dogtag_constants=dogtag_constants) + CA.dm_password = config.dirman_password - CA.configure_certmonger_renewal() - CA.import_ra_cert(config.dir + "/ra.p12") - CA.fix_ra_perms() + CA.configure_certmonger_renewal() + CA.import_ra_cert(config.dir + "/ra.p12") + CA.fix_ra_perms() # The DS instance is created before the keytab, add the SSL cert we # generated -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
