The attached patch 0043 fixes #5269[1]: nondeterministic failure of
certificate profile creation during ipa-server-install.

[1] https://fedorahosted.org/freeipa/ticket/5269

The other patch 0042 is drive-by improvements of IPA install/upgrade
logging that I did while diagnosing the issue.

Thanks,
Fraser
From c6991e5095f7a8f7c13d1dd943a26b0b06365f6a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 20 Nov 2015 15:39:00 +1100
Subject: [PATCH 42/43] TLS and Dogtag HTTPS request logging improvements

Pretty printing the TLS peer certificate to logs on every request
introduces a lot of noise; do not log it (subject name, key usage
and validity are still logged).

Fix and tidy up some HTTP logging messages for Dogtag requests.

Part of: https://fedorahosted.org/freeipa/ticket/5269
---
 ipapython/dogtag.py | 9 ++++-----
 ipapython/nsslib.py | 3 ---
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 
3f0d08154d21a3072e344c311c3e70e414d9dee4..26b2de6ca77202fa9ccc61ee16ed7623e10ecb5f
 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -314,7 +314,7 @@ def _httplib_request(
     if isinstance(host, unicode):
         host = host.encode('utf-8')
     uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path)
-    root_logger.debug('request %r', uri)
+    root_logger.debug('request %s %s', method, uri)
     root_logger.debug('request body %r', request_body)
 
     headers = headers or {}
@@ -337,9 +337,8 @@ def _httplib_request(
     except Exception, e:
         raise NetworkError(uri=uri, error=str(e))
 
-    root_logger.debug('request status %d',        http_status)
-    root_logger.debug('request reason_phrase %r', http_reason_phrase)
-    root_logger.debug('request headers %s',       http_headers)
-    root_logger.debug('request body %r',          http_body)
+    root_logger.debug('response status %d %s', http_status, http_reason_phrase)
+    root_logger.debug('response headers %s',   http_headers)
+    root_logger.debug('response body %r',      http_body)
 
     return http_status, http_reason_phrase, http_headers, http_body
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 
def6b104e18fa67268a8c5a8629b533783fb5a95..79b8dc5be6a26cd6136ac62a4fa49572d765a9a0
 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -39,9 +39,6 @@ def auth_certificate_callback(sock, check_sig, is_server, 
certdb):
 
     cert = sock.get_peer_certificate()
 
-    root_logger.debug("auth_certificate_callback: check_sig=%s 
is_server=%s\n%s",
-                              check_sig, is_server, str(cert))
-
     pin_args = sock.get_pkcs11_pin_arg()
     if pin_args is None:
         pin_args = ()
-- 
2.4.3

From e1809a951893a466d27bf30d55577184dd32ec1b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 20 Nov 2015 15:59:11 +1100
Subject: [PATCH 43/43] Avoid race condition caused by profile delete and
 recreate

When importing IPA-managed certificate profiles into Dogtag,
profiles with the same name (usually caIPAserviceCert) are removed,
then immediately recreated with the new profile data.  This causes a
race condition - Dogtag's LDAPProfileSystem profileChangeMonitor
thread could observe and process the deletion after the profile was
recreated, disappearing it again.

Update the profile instead of deleting and recreating it to avoid
this race condition.

Fixes: https://fedorahosted.org/freeipa/ticket/5269
---
 ipaserver/install/cainstance.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
d230c9bdcab68f02cce32a2aeb89ca3e2143eefe..3e3dce93de2b8ca48a3fe3ea5994ee92a1b0ce49
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1812,8 +1812,7 @@ def _create_dogtag_profile(profile_id, profile_data):
                     root_logger.debug(
                         "Failed to disable profile '%s' "
                         "(it is probably already disabled)")
-                profile_api.delete_profile(profile_id)
-                profile_api.create_profile(profile_data)
+                profile_api.update_profile(profile_id, profile_data)
 
         # enable the profile
         try:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to