diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-08-31 17:21:25 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-09-09 16:38:52 -0400 |
| commit | f87bd57c1d3a86ade7419ea17ddee65bacda4b7f (patch) | |
| tree | 89c99bbb28e2c1965a5f58190065a2f45ae87dbf /ipaserver/install/certs.py | |
| parent | 2e8bae590eae495628ffb709540f7e83eee52ba2 (diff) | |
| download | freeipa-f87bd57c1d3a86ade7419ea17ddee65bacda4b7f.tar.gz freeipa-f87bd57c1d3a86ade7419ea17ddee65bacda4b7f.tar.xz freeipa-f87bd57c1d3a86ade7419ea17ddee65bacda4b7f.zip | |
Fix certmonger errors when doing a client or server uninstall.
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
Diffstat (limited to 'ipaserver/install/certs.py')
| -rw-r--r-- | ipaserver/install/certs.py | 27 |
1 files changed, 11 insertions, 16 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 7f246d11c..c8e1d17d5 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -32,10 +32,10 @@ from ipapython import nsslib from ipapython import dogtag from ipapython import sysrestore from ipapython import ipautil +from ipapython import certmonger from ipalib import pkcs10 from ConfigParser import RawConfigParser import service -import certmonger from ipalib import x509 from nss.error import NSPRError @@ -441,21 +441,19 @@ class CertDB(object): """ service.chkconfig_on("certmonger") service.start("certmonger") - args = ["/usr/bin/ipa-getcert", "start-tracking", - "-d", self.secdir, - "-n", nickname] - if password_file: - args.append("-p") - args.append(password_file) try: - (stdout, stderr, returncode) = ipautil.run(args) - except ipautil.CalledProcessError, e: - logging.error("tracking certificate failed: %s" % str(e)) + (stdout, stderr, rc) = certmonger.start_tracking(nickname, self.secdir, password_file) + except (ipautil.CalledProcessError, RuntimeError), e: + logging.error("certmonger failed starting to track certificate: %s" % str(e)) + return service.stop("certmonger") cert = self.get_cert_from_db(nickname) subject = str(x509.get_subject(cert)) m = re.match('New tracking request "(\d+)" added', stdout) + if not m: + logging.error('Didn\'t get new certmonger request, got %s' % stdout) + raise RuntimeError('certmonger did not issue new tracking request for \'%s\' in \'%s\'. Use \'ipa-getcert list\' to list existing certificates.' % (nickname, self.secdir)) request_id = m.group(1) certmonger.add_principal(request_id, principal) @@ -471,13 +469,10 @@ class CertDB(object): # Always start certmonger. We can't untrack something if it isn't # running service.start("certmonger") - args = ["/usr/bin/ipa-getcert", "stop-tracking", - "-d", self.secdir, - "-n", nickname] try: - (stdout, stderr, returncode) = ipautil.run(args) - except ipautil.CalledProcessError, e: - logging.error("untracking certificate failed: %s" % str(e)) + certmonger.stop_tracking(self.secdir, nickname=nickname) + except (ipautil.CalledProcessError, RuntimeError), e: + logging.error("certmonger failed to stop tracking certificate: %s" % str(e)) service.stop("certmonger") def create_server_cert(self, nickname, hostname, other_certdb=None, subject=None): |