Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
On 10/12/14 19:21, Jan Cholasta wrote: Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a): Dne 1.12.2014 v 16:48 Martin Basti napsal(a): On 01/12/14 08:46, Jan Cholasta wrote: Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza Updated patch attached. Thanks, ACK. Pushed to: master: 337faf506462a01c6dbcd00f2039ed5627691864 ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976 It turns out I messed up the review (sorry). This fixes the upgrade, but it also breaks ipa-server-install: 2014-12-10T06:06:44Z DEBUG [8/27]: starting certificate server instance 2014-12-10T06:06:44Z DEBUG Starting external process 2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout= 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG Starting external process 2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout=active 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on local port 2014-12-10T06:06:49Z DEBUG Waiting until the CA is running 2014-12-10T06:06:49Z DEBUG Starting external process 2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus' 2014-12-10T06:07:09Z DEBUG Process finished, return code=5 2014-12-10T06:07:09Z DEBUG stdout= 2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49-- https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus Resolving vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)... 10.16.78.88 Connecting to vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)|10.16.78.88|:8443... connected. ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate, issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’: Self-signed certificate encountered. To connect to vm-088.idm.lab.bos.redhat.com insecurely, use `--no-check-certificate'. 2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted I have reopened the ticket. Patch with '--no-check-certificate' option attached. Before workaround there was no certificate check, so it should not be problem if we ignore the certificate. Martin^2 -- Martin Basti From 94ebe22c56bb311072e207e6380a5638bf422c82 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 11 Dec 2014 09:38:46 +0100 Subject: [PATCH] Fix don't check certificate during getting CA status Due workaroud we accidentaly started to check certificate, which causes problems during installation. Ticket: https://fedorahosted.org/freeipa/ticket/4676 --- ipaplatform/redhat/services.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 20d0adec421ecd3285464e2a51b9d5c61a0e3d92..8759cab76c7d72a3abbf935e7f15f7a32a0b6987 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -204,6 +204,7 @@ class RedHatCAService(RedHatService): paths.BIN_WGET, '-S', '-O', '-', '--timeout=30', +'--no-check-certificate', url ] -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Dne 11.12.2014 v 10:01 Martin Basti napsal(a): On 10/12/14 19:21, Jan Cholasta wrote: Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a): Dne 1.12.2014 v 16:48 Martin Basti napsal(a): On 01/12/14 08:46, Jan Cholasta wrote: Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza Updated patch attached. Thanks, ACK. Pushed to: master: 337faf506462a01c6dbcd00f2039ed5627691864 ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976 It turns out I messed up the review (sorry). This fixes the upgrade, but it also breaks ipa-server-install: 2014-12-10T06:06:44Z DEBUG [8/27]: starting certificate server instance 2014-12-10T06:06:44Z DEBUG Starting external process 2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout= 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG Starting external process 2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout=active 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on local port 2014-12-10T06:06:49Z DEBUG Waiting until the CA is running 2014-12-10T06:06:49Z DEBUG Starting external process 2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus' 2014-12-10T06:07:09Z DEBUG Process finished, return code=5 2014-12-10T06:07:09Z DEBUG stdout= 2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49-- https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus Resolving vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)... 10.16.78.88 Connecting to vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)|10.16.78.88|:8443... connected. ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate, issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’: Self-signed certificate encountered. To connect to vm-088.idm.lab.bos.redhat.com insecurely, use `--no-check-certificate'. 2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted I have reopened the ticket. Patch with '--no-check-certificate' option attached. Before workaround there was no certificate check, so it should not be problem if we ignore the certificate. Martin^2 Thanks, ACK. Pushed to: master: 95becc1d542c78721088398eddbfd0d0ffe9b27f ipa-4-1: 8440c2ee97e1c7e29e20629a2579af28a6d654be -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Dne 1.12.2014 v 16:48 Martin Basti napsal(a): On 01/12/14 08:46, Jan Cholasta wrote: Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza Updated patch attached. Thanks, ACK. Pushed to: master: 337faf506462a01c6dbcd00f2039ed5627691864 ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976 -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a): Dne 1.12.2014 v 16:48 Martin Basti napsal(a): On 01/12/14 08:46, Jan Cholasta wrote: Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza Updated patch attached. Thanks, ACK. Pushed to: master: 337faf506462a01c6dbcd00f2039ed5627691864 ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976 It turns out I messed up the review (sorry). This fixes the upgrade, but it also breaks ipa-server-install: 2014-12-10T06:06:44Z DEBUG [8/27]: starting certificate server instance 2014-12-10T06:06:44Z DEBUG Starting external process 2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout= 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG Starting external process 2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active' 'pki-tomcatd.target' 2014-12-10T06:06:45Z DEBUG Process finished, return code=0 2014-12-10T06:06:45Z DEBUG stdout=active 2014-12-10T06:06:45Z DEBUG stderr= 2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on local port 2014-12-10T06:06:49Z DEBUG Waiting until the CA is running 2014-12-10T06:06:49Z DEBUG Starting external process 2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' 'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus' 2014-12-10T06:07:09Z DEBUG Process finished, return code=5 2014-12-10T06:07:09Z DEBUG stdout= 2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49-- https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus Resolving vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)... 10.16.78.88 Connecting to vm-088.idm.lab.bos.redhat.com (vm-088.idm.lab.bos.redhat.com)|10.16.78.88|:8443... connected. ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate, issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’: Self-signed certificate encountered. To connect to vm-088.idm.lab.bos.redhat.com insecurely, use `--no-check-certificate'. 2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted I have reopened the ticket. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
On 01/12/14 08:46, Jan Cholasta wrote:
Hi,
Dne 27.11.2014 v 14:24 Martin Basti napsal(a):
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Replaces current workaround. Should go to 4.1.3.
Patch attached.
When constructing URLs with host:port, please use
ipautil.format_netloc().
wget should be added as a dependency of freeipa-python in the spec file.
Honza
Updated patch attached.
--
Martin Basti
From daf56e4e4a0126f0dd528876a209f0687ca3ad06 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Tue, 18 Nov 2014 19:49:15 +0100
Subject: [PATCH] Using wget to get status of CA
This is just workaround
Ticket: https://fedorahosted.org/freeipa/ticket/4676
---
freeipa.spec.in | 1 +
install/tools/ipa-upgradeconfig | 4
ipaplatform/redhat/services.py | 27 ++-
ipapython/dogtag.py | 18 +++---
4 files changed, 38 insertions(+), 12 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 95ec6210a157fd158d81d97efbd46f3d35facbc6..39166057ecd0d5a4bacef4e79bed49135f72fff4 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -292,6 +292,7 @@ Requires: python-qrcode-core = 5.0.0
Requires: python-pyasn1
Requires: python-dateutil
Requires: python-yubico
+Requires: wget
Conflicts: %{alt_name}-python
Obsoletes: %{alt_name}-python %{version}
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 32fea4d0a42ac7607fffaa17339b23267f2760f6..628fe20d7c7dbdc5aaae5cd60eb357694a3b51a5 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1486,10 +1486,6 @@ def main():
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
except ipautil.CalledProcessError, e:
root_logger.error(Failed to restart %s: %s, ca.service_name, e)
-# FIXME https://fedorahosted.org/freeipa/ticket/4676
-# workaround
-except RuntimeError as e:
-root_logger.warning(str(e))
set_sssd_domain_option('ipa_server_mode', 'True')
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 58ffebc48477193c7203161d2578b3040862b4e6..20d0adec421ecd3285464e2a51b9d5c61a0e3d92 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -24,6 +24,7 @@ Contains Red Hat OS family-specific service class implementations.
import os
import time
+import xml.dom.minidom
from ipaplatform.tasks import tasks
from ipaplatform.base import services as base_services
@@ -185,7 +186,31 @@ class RedHatCAService(RedHatService):
op_timeout = time.time() + timeout
while time.time() op_timeout:
try:
-status = dogtag.ca_status(use_proxy=use_proxy)
+# FIXME https://fedorahosted.org/freeipa/ticket/4716
+# workaround
+#
+# status = dogtag.ca_status(use_proxy=use_proxy)
+#
+port = 8443
+if use_proxy:
+port = 443
+
+url = https://%(host_port)s%(path)s % {
+host_port: ipautil.format_netloc(api.env.ca_host, port),
+path: /ca/admin/ca/getStatus
+}
+
+args = [
+paths.BIN_WGET,
+'-S', '-O', '-',
+'--timeout=30',
+url
+]
+
+stdout, stderr, returncode = ipautil.run(args)
+
+status = dogtag._parse_ca_status(stdout)
+# end of workaround
except Exception:
status = 'check interrupted'
root_logger.debug('The CA status is: %s' % status)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 0e0aacca798377517244075ed6b07dff63e87358..675d2a77fe30b9109c17089f129b189282ffa57b 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -191,6 +191,16 @@ def get_ca_certchain(ca_host=None, dogtag_constants=None):
return chain
+def _parse_ca_status(body):
+doc = xml.dom.minidom.parseString(body)
+try:
+item_node = doc.getElementsByTagName(XMLResponse)[0]
+item_node = item_node.getElementsByTagName(Status)[0]
+return item_node.childNodes[0].data
+except IndexError:
+raise error_from_xml(doc, _(Retrieving CA status failed: %s))
+
+
def ca_status(ca_host=None, use_proxy=True):
Return the status of the CA, and the httpd proxy in front of it
@@ -214,13 +224,7 @@ def ca_status(ca_host=None, use_proxy=True):
elif status != 200:
raise errors.RemoteRetrieveError(
reason=_(Retrieving CA status failed: %s) % reason)
-doc = xml.dom.minidom.parseString(body)
-try:
-item_node = doc.getElementsByTagName(XMLResponse)[0]
-item_node = item_node.getElementsByTagName(Status)[0]
-return item_node.childNodes[0].data
-except IndexError:
-raise
Re: [Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Hi, Dne 27.11.2014 v 14:24 Martin Basti napsal(a): Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. When constructing URLs with host:port, please use ipautil.format_netloc(). wget should be added as a dependency of freeipa-python in the spec file. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Replaces current workaround. Should go to 4.1.3.
Patch attached.
--
Martin Basti
From aceecd06d3174101dd1f7d63f2b22eb1d1447fa1 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Tue, 18 Nov 2014 19:49:15 +0100
Subject: [PATCH] Using wget to get status of CA
This is just workaround
Ticket: https://fedorahosted.org/freeipa/ticket/4676
---
install/tools/ipa-upgradeconfig | 4
ipaplatform/redhat/services.py | 28 +++-
ipapython/dogtag.py | 18 +++---
3 files changed, 38 insertions(+), 12 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 02bfe3a79f83e65f428fe2220d940eb39fdbd928..b81a474b2bb14f1582dabd649400c13f7ce6d369 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1473,10 +1473,6 @@ def main():
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
except ipautil.CalledProcessError, e:
root_logger.error(Failed to restart %s: %s, ca.service_name, e)
-# FIXME https://fedorahosted.org/freeipa/ticket/4676
-# workaround
-except RuntimeError as e:
-root_logger.warning(str(e))
set_sssd_domain_option('ipa_server_mode', 'True')
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 58ffebc48477193c7203161d2578b3040862b4e6..a2ff10824edde8832c48613dcc456092441b3097 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -24,6 +24,7 @@ Contains Red Hat OS family-specific service class implementations.
import os
import time
+import xml.dom.minidom
from ipaplatform.tasks import tasks
from ipaplatform.base import services as base_services
@@ -185,7 +186,32 @@ class RedHatCAService(RedHatService):
op_timeout = time.time() + timeout
while time.time() op_timeout:
try:
-status = dogtag.ca_status(use_proxy=use_proxy)
+# FIXME https://fedorahosted.org/freeipa/ticket/4716
+# workaround
+#
+# status = dogtag.ca_status(use_proxy=use_proxy)
+#
+port = 8443
+if use_proxy:
+port = 443
+
+url = https://%(host)s:%(port)s%(path)s % {
+host: api.env.ca_host,
+port: port,
+path: /ca/admin/ca/getStatus,
+}
+
+args = [
+paths.BIN_WGET,
+'-S', '-O', '-',
+'--timeout=30',
+url
+]
+
+stdout, stderr, returncode = ipautil.run(args)
+
+status = dogtag._parse_ca_status(stdout)
+# end of workaround
except Exception:
status = 'check interrupted'
root_logger.debug('The CA status is: %s' % status)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 14824b99431e85dd73613befd72e500d370cfe2c..d03e596146e1ef4f65f616792d90ac2d869c9db4 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -191,6 +191,16 @@ def get_ca_certchain(ca_host=None, dogtag_constants=None):
return chain
+def _parse_ca_status(body):
+doc = xml.dom.minidom.parseString(body)
+try:
+item_node = doc.getElementsByTagName(XMLResponse)[0]
+item_node = item_node.getElementsByTagName(Status)[0]
+return item_node.childNodes[0].data
+except IndexError:
+raise error_from_xml(doc, _(Retrieving CA status failed: %s))
+
+
def ca_status(ca_host=None, use_proxy=True):
Return the status of the CA, and the httpd proxy in front of it
@@ -214,13 +224,7 @@ def ca_status(ca_host=None, use_proxy=True):
elif status != 200:
raise errors.RemoteRetrieveError(
reason=_(Retrieving CA status failed: %s) % reason)
-doc = xml.dom.minidom.parseString(body)
-try:
-item_node = doc.getElementsByTagName(XMLResponse)[0]
-item_node = item_node.getElementsByTagName(Status)[0]
-return item_node.childNodes[0].data
-except IndexError:
-raise error_from_xml(doc, _(Retrieving CA status failed: %s))
+return _parse_ca_status(body)
def https_request(host, port, url, secdir, password, nickname, **kw):
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
