URL: https://github.com/freeipa/freeipa/pull/222 Author: flo-renaud Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/222/head:pr222 git checkout pr222
From 876c09701dc3a32c31e37869579c9eb65240649c Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <[email protected]> Date: Wed, 9 Nov 2016 15:14:27 +0100 Subject: [PATCH] Fix ipa-replica-install when upgrade from ca-less to ca-full When ipa-replica-prepare is run on a master upgraded from CA-less to CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt. This causes issues if this file hasn't been updated with ipa-certupdate, as it contains the external CA that signed http/ldap certs, but not the newly installed IPA CA. As a consequence, ipa-replica-install fails with "Could not find a CA cert". The fix consists in retrieving the CA certificates from LDAP instead of the local /etc/ipa/ca.crt. https://fedorahosted.org/freeipa/ticket/6375 --- ipaserver/install/ipa_replica_prepare.py | 9 ++++++++- ipaserver/install/server/replicainstall.py | 8 ++++---- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 227d296..dd75eb1 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -34,6 +34,7 @@ from ipaserver.install import certs, installutils, bindinstance, dsinstance from ipaserver.install.replication import enable_replication_version_checking +from ipaserver.install.server.replicainstall import install_ca_cert from ipaserver.install.bindinstance import ( add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists) from ipapython import ipautil, admintool @@ -356,6 +357,7 @@ def run(self): if options.setup_pkinit: self.copy_pkinit_certificate() + self.retrieve_ca_certs() self.copy_misc_files() self.save_config() @@ -443,12 +445,17 @@ def copy_pkinit_certificate(self): def copy_misc_files(self): self.log.info("Copying additional files") - self.copy_info_file(CACERT, "ca.crt") cacert_filename = paths.CACERT_PEM if ipautil.file_exists(cacert_filename): self.copy_info_file(cacert_filename, "cacert.pem") self.copy_info_file(paths.IPA_DEFAULT_CONF, "default.conf") + def retrieve_ca_certs(self): + self.log.info("Retrieving CA certificates") + dest = os.path.join(self.dir, "ca.crt") + install_ca_cert(api.Backend.ldap2, api.env.basedn, + api.env.realm, paths.IPA_CA_CRT, destfile=dest) + def save_config(self): self.log.info("Finalizing configuration") diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index a7b333c..dda3c8e 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -127,22 +127,22 @@ def install_krb(config, setup_pkinit=False, promote=False): return krb -def install_ca_cert(ldap, base_dn, realm, cafile): +def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT): try: try: certs = certstore.get_ca_certs(ldap, base_dn, realm, False) except errors.NotFound: try: - shutil.copy(cafile, paths.IPA_CA_CRT) + shutil.copy(cafile, destfile) except shutil.Error: # cafile == IPA_CA_CRT pass else: certs = [c[0] for c in certs if c[2] is not False] - x509.write_certificate_list(certs, paths.IPA_CA_CRT) + x509.write_certificate_list(certs, destfile) except Exception as e: raise ScriptError("error copying files: " + str(e)) - return paths.IPA_CA_CRT + return destfile def install_http(config, auto_redirect, ca_is_configured, ca_file,
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
