diff options
| -rwxr-xr-x | install/tools/ipa-server-install | 10 | ||||
| -rw-r--r-- | ipapython/certmonger.py | 36 |
2 files changed, 45 insertions, 1 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6d1e6998c..70e5153d7 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -52,6 +52,7 @@ from ipaserver.install import sysupgrade from ipaserver.install import service, installutils from ipapython import version +from ipapython import certmonger from ipaserver.install.installutils import * from ipaserver.plugins.ldap2 import ldap2 @@ -527,7 +528,14 @@ def uninstall(): rv = 1 if has_state: - root_logger.warning('Some installation state has not been restored.\nThis will cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.') + root_logger.error('Some installation state has not been restored.\nThis may cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.') + + # Note that this name will be wrong after the first uninstall. + dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm)) + dirs = [dirname, dogtag.configured_constants().ALIAS_DIR, certs.NSS_DIR] + ids = certmonger.check_state(dirs) + if ids: + root_logger.error('Some certificates may still be tracked by certmonger.\nThis will cause re-installation to fail.\nStart the certmonger service and list the certificates being tracked\n # getcert list\nThese may be untracked by executing\n # getcert stop-tracking -i <request_id>\nfor each id in: %s' % ', '.join(ids)) return rv diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 9cc4466c6..22678dadb 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -114,6 +114,27 @@ def get_request_id(criteria): return reqid +def get_requests_for_dir(dir): + """ + Return a list containing the request ids for a given NSS database + directory. + """ + reqid=[] + fileList=os.listdir(REQUEST_DIR) + for file in fileList: + rv = find_request_value(os.path.join(REQUEST_DIR, file), + 'cert_storage_location') + if rv is None: + continue + rv = os.path.abspath(rv).rstrip() + if rv != dir: + continue + id = find_request_value(os.path.join(REQUEST_DIR, file), 'id') + if id is not None: + reqid.append(id.rstrip()) + + return reqid + def add_request_value(request_id, directive, value): """ Add a new directive to a certmonger request file. @@ -393,6 +414,21 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command): (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin]) +def check_state(dirs): + """ + Given a set of directories and nicknames verify that we are no longer + tracking certificates. + + dirs is a list of directories to test for. We will return a tuple + of nicknames for any tracked certificates found. + + This can only check for NSS-based certificates. + """ + reqids = [] + for dir in dirs: + reqids.extend(get_requests_for_dir(dir)) + + return reqids if __name__ == '__main__': request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM") |