On 26.7.2011 19:37, Rob Crittenden wrote:
Jan Cholasta wrote:
This patch contains several small fixes of external CA install.
https://fedorahosted.org/freeipa/ticket/1523
This is a good start at simplifying things but needs a bit more work.
One thing I was bending over backwards for was to handle whatever
options were thrown at us. Here is a situation this does not handle very
gracefully:
# ipa-server-install --external_cert_file=/home/rcrit/cadb/sub/ipa.crt
--external_ca_file=/home/rcrit/cadb/sub/ca.crt --external-ca
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
done configuring pkids.
CA is not installed yet. To install with an external CA is a two-stage
process.
First run the installer with --external-ca.
rob
Moved the input validation to the beginning of main(), so that the
errors are caught sooner.
Honza
--
Jan Cholasta
From 0080143430cb5e8a76c8fb02fa9ad0a3a079cda9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 26 Jul 2011 13:21:36 +0200
Subject: [PATCH] Fix external CA install.
ticket 1523
---
install/tools/ipa-server-install | 59 ++
1 files changed, 34 insertions(+), 25 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 8f8100b..f477412 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -212,9 +212,15 @@ def parse_options():
if (options.external_cert_file or options.external_ca_file) and options.selfsign:
parser.error(--selfsign cannot be used with the external CA options.)
+if options.external_ca:
+if options.external_cert_file:
+parser.error(You cannot specify --external_cert_file together with --external-ca)
+if options.external_ca_file:
+parser.error(You cannot specify --external_ca_file together with --external-ca)
+
if ((options.external_cert_file and not options.external_ca_file) or
(not options.external_cert_file and options.external_ca_file)):
-parser.error(if either external option is used, both are required.)
+parser.error(if either external CA option is used, both are required.)
if (options.external_ca_file and not os.path.isabs(options.external_ca_file)):
parser.error(--external-ca-file must use an absolute path)
@@ -503,7 +509,7 @@ def main():
else:
standard_logging_setup(/var/log/ipaserver-install.log, options.debug)
print \nThe log file for this installation can be found in /var/log/ipaserver-install.log
-if (dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured()) and not options.external_cert_file:
+if not options.external_ca and not options.external_cert_file and (dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured()):
sys.exit(IPA server is already configured on this system.\n
+ If you want to reinstall the IPA server please uninstall it first.)
@@ -544,9 +550,26 @@ def main():
return uninstall()
+if options.external_ca:
+if cainstance.CADSInstance().is_configured():
+print CA is already installed.\nRun the installer with --external_cert_file and --external_ca_file.
+sys.exit(1)
+elif options.external_cert_file:
+if not cainstance.CADSInstance().is_configured():
+# This can happen if someone passes external_ca_file without
+# already having done the first stage of the CA install.
+print CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca.
+sys.exit(1)
+if not ipautil.file_exists(options.external_cert_file):
+print %s does not exist % options.external_cert_file
+sys.exit(1)
+if not ipautil.file_exists(options.external_ca_file):
+print %s does not exist % options.external_ca_file
+sys.exit(1)
+
# This will override any settings passed in on the cmdline
if ipautil.file_exists(ANSWER_CACHE):
-dm_password = read_dm_password()
+dm_password = read_password(Directory Manager, confirm=False)
options._update_loose(read_cache(dm_password))
print ==
@@ -754,24 +777,12 @@ def main():
# Figure out what state we're in. See cainstance.py for more info on
# the 3 states.
-if options.external_cert_file is not None and