URL: https://github.com/freeipa/freeipa/pull/222
Author: flo-renaud
 Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/222/head:pr222
git checkout pr222
From 876c09701dc3a32c31e37869579c9eb65240649c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Wed, 9 Nov 2016 15:14:27 +0100
Subject: [PATCH] Fix ipa-replica-install when upgrade from ca-less to ca-full

When ipa-replica-prepare is run on a master upgraded from CA-less to
CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt.
This causes issues if this file hasn't been updated with ipa-certupdate,
as it contains the external CA that signed http/ldap certs, but not
the newly installed IPA CA.
As a consequence, ipa-replica-install fails with "Could not find a CA cert".

The fix consists in retrieving the CA certificates from LDAP instead of
the local /etc/ipa/ca.crt.

https://fedorahosted.org/freeipa/ticket/6375
---
 ipaserver/install/ipa_replica_prepare.py   | 9 ++++++++-
 ipaserver/install/server/replicainstall.py | 8 ++++----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 227d296..dd75eb1 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -34,6 +34,7 @@
 
 from ipaserver.install import certs, installutils, bindinstance, dsinstance
 from ipaserver.install.replication import enable_replication_version_checking
+from ipaserver.install.server.replicainstall import install_ca_cert
 from ipaserver.install.bindinstance import (
     add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists)
 from ipapython import ipautil, admintool
@@ -356,6 +357,7 @@ def run(self):
             if options.setup_pkinit:
                 self.copy_pkinit_certificate()
 
+            self.retrieve_ca_certs()
             self.copy_misc_files()
 
             self.save_config()
@@ -443,12 +445,17 @@ def copy_pkinit_certificate(self):
     def copy_misc_files(self):
         self.log.info("Copying additional files")
 
-        self.copy_info_file(CACERT, "ca.crt")
         cacert_filename = paths.CACERT_PEM
         if ipautil.file_exists(cacert_filename):
             self.copy_info_file(cacert_filename, "cacert.pem")
         self.copy_info_file(paths.IPA_DEFAULT_CONF, "default.conf")
 
+    def retrieve_ca_certs(self):
+        self.log.info("Retrieving CA certificates")
+        dest = os.path.join(self.dir, "ca.crt")
+        install_ca_cert(api.Backend.ldap2, api.env.basedn,
+                        api.env.realm, paths.IPA_CA_CRT, destfile=dest)
+
     def save_config(self):
         self.log.info("Finalizing configuration")
 
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index a7b333c..dda3c8e 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -127,22 +127,22 @@ def install_krb(config, setup_pkinit=False, promote=False):
     return krb
 
 
-def install_ca_cert(ldap, base_dn, realm, cafile):
+def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT):
     try:
         try:
             certs = certstore.get_ca_certs(ldap, base_dn, realm, False)
         except errors.NotFound:
             try:
-                shutil.copy(cafile, paths.IPA_CA_CRT)
+                shutil.copy(cafile, destfile)
             except shutil.Error:
                 # cafile == IPA_CA_CRT
                 pass
         else:
             certs = [c[0] for c in certs if c[2] is not False]
-            x509.write_certificate_list(certs, paths.IPA_CA_CRT)
+            x509.write_certificate_list(certs, destfile)
     except Exception as e:
         raise ScriptError("error copying files: " + str(e))
-    return paths.IPA_CA_CRT
+    return destfile
 
 
 def install_http(config, auto_redirect, ca_is_configured, ca_file,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to