https://fedorahosted.org/freeipa/ticket/5655
-- Martin^3 Babinsky
From bfa239bd1ac71f89a54f8be548432b89b2f527dd Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Mon, 1 Feb 2016 12:59:04 +0100 Subject: [PATCH] always start certmonger during IPA server configuration upgrade This patch fixes a regression introduced by commit bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56. Instead of checking whether there is CA installed in the topology, we should always start certmonger service during upgrade regardless when CA was configured. https://fedorahosted.org/freeipa/ticket/5655 --- ipaserver/install/server/upgrade.py | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 20379f19c652cb0b5911a4c2f1c67eae7f763379..48f8579a4bf49c9e225733facb06fcc001dbdb32 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -291,24 +291,6 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) -def is_ca_enabled(): - """ - check whether there is an active CA master - :return: True if there is an active CA in topology, False otherwise - """ - ldap2 = api.Backend.ldap2 - was_connected = ldap2.isconnected() - - if not was_connected: - ldap2.connect() - - try: - return api.Command.ca_is_enabled()['result'] - finally: - if not was_connected: - ldap2.disconnect() - - def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1481,6 +1463,10 @@ def upgrade_configuration(): ) upgrade_pki(ca, fstore) + certmonger_service = services.knownservices.certmonger + if ca.is_configured() and not certmonger_service.is_running(): + certmonger_service.start() + ca.configure_certmonger_renewal_guard() update_dbmodules(api.env.realm) @@ -1496,8 +1482,7 @@ def upgrade_configuration(): http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() - if is_ca_enabled(): - http.configure_certmonger_renewal_guard() + http.configure_certmonger_renewal_guard() http.enable_and_start_oddjobd() @@ -1650,14 +1635,6 @@ def upgrade_check(options): print(unicode(e)) sys.exit(1) - try: - ca_is_enabled = is_ca_enabled() - except Exception as e: - raise RuntimeError("Cannot connect to LDAP server: {0}".format(e)) - - if not services.knownservices.certmonger.is_running() and ca_is_enabled: - raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.') - if not options.skip_version_check: # check IPA version and data version try: -- 2.5.0
From d10dbd7c5bbcc7987c66e6ea0c15a658bf9d609c Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Mon, 1 Feb 2016 12:59:04 +0100 Subject: [PATCH] always start certmonger during IPA server configuration upgrade This patch fixes a regression introduced by commit bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56. Instead of checking whether there is CA installed in the topology, we should always start certmonger service during upgrade regardless when CA was configured. https://fedorahosted.org/freeipa/ticket/5655 --- ipaserver/install/server/upgrade.py | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2d971964480e2f7829591f194a21ed6d23eccdd2..0a46635979497f8028465c2295b22485fd9c0279 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -292,24 +292,6 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) -def is_ca_enabled(): - """ - check whether there is an active CA master - :return: True if there is an active CA in topology, False otherwise - """ - ldap2 = api.Backend.ldap2 - was_connected = ldap2.isconnected() - - if not was_connected: - ldap2.connect() - - try: - return api.Command.ca_is_enabled()['result'] - finally: - if not was_connected: - ldap2.disconnect() - - def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1420,6 +1402,10 @@ def upgrade_configuration(): ) upgrade_pki(ca, fstore) + certmonger_service = services.knownservices.certmonger + if ca.is_configured() and not certmonger_service.is_running(): + certmonger_service.start() + ca.configure_certmonger_renewal_guard() update_dbmodules(api.env.realm) @@ -1435,8 +1421,7 @@ def upgrade_configuration(): http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() - if is_ca_enabled(): - http.configure_certmonger_renewal_guard() + http.configure_certmonger_renewal_guard() ds.configure_dirsrv_ccache() @@ -1582,14 +1567,6 @@ def upgrade_check(options): print unicode(e) sys.exit(1) - try: - ca_is_enabled = is_ca_enabled() - except Exception as e: - raise RuntimeError("Cannot connect to LDAP server: {0}".format(e)) - - if not services.knownservices.certmonger.is_running() and ca_is_enabled: - raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.') - if not options.skip_version_check: # check IPA version and data version try: -- 2.5.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code