URL: https://github.com/freeipa/freeipa/pull/222 Author: flo-renaud Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full Action: opened
PR body: """ When ipa-replica-prepare is run on a master upgraded from CA-less to CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt. This causes issues if this file hasn't been updated with ipa-certupdate, as it contains the external CA that signed http/ldap certs, but not the newly installed IPA CA. As a consequence, ipa-replica-install fails with "Could not find a CA cert". The fix consists in retrieving the CA certificates from LDAP instead of the local /etc/ipa/ca.crt. https://fedorahosted.org/freeipa/ticket/6375 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/222/head:pr222 git checkout pr222
From 1e59de3b6dbe573e0de19d8366da3632f281b422 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 9 Nov 2016 15:14:27 +0100 Subject: [PATCH] Fix ipa-replica-install when upgrade from ca-less to ca-full When ipa-replica-prepare is run on a master upgraded from CA-less to CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt. This causes issues if this file hasn't been updated with ipa-certupdate, as it contains the external CA that signed http/ldap certs, but not the newly installed IPA CA. As a consequence, ipa-replica-install fails with "Could not find a CA cert". The fix consists in retrieving the CA certificates from LDAP instead of the local /etc/ipa/ca.crt. https://fedorahosted.org/freeipa/ticket/6375 --- ipaserver/install/ipa_replica_prepare.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index e6699d8..c1dc8a3 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -40,6 +40,7 @@ from ipapython.dn import DN from ipapython import version from ipalib import api +from ipalib import certstore, x509 from ipalib import errors from ipaplatform.paths import paths from ipalib.constants import CACERT, DOMAIN_LEVEL_0 @@ -361,6 +362,7 @@ def run(self): if options.setup_pkinit: self.copy_pkinit_certificate() + self.retrieve_ca_certs() self.copy_misc_files() self.save_config() @@ -448,12 +450,23 @@ def copy_pkinit_certificate(self): def copy_misc_files(self): self.log.info("Copying additional files") - self.copy_info_file(CACERT, "ca.crt") cacert_filename = paths.CACERT_PEM if ipautil.file_exists(cacert_filename): self.copy_info_file(cacert_filename, "cacert.pem") self.copy_info_file(paths.IPA_DEFAULT_CONF, "default.conf") + def retrieve_ca_certs(self): + self.log.info("Retrieving CA certificates") + ca_certs = certstore.get_ca_certs(api.Backend.ldap2, api.env.basedn, + api.env.realm, False) + certs = (c[0] for c in ca_certs if c[2] is not False) + dest = os.path.join(self.dir, "ca.crt") + try: + x509.write_certificate_list(certs, dest) + except Exception as e: + raise admintool.ScriptError( + "File creation {0} failed: {1}".format(dest, e)) + def save_config(self): self.log.info("Finalizing configuration")
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code