From de7b4108d7f9e1c4aec09ca6aa3a3ccf16a6c7a1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Mon, 1 Dec 2008 15:06:20 -0500
Subject: Make sure the CA cert is copied to the replica, fail if no ca.crt is
 available. Cope with some versions of ipa that forgot to copy the ca.crt cert
 in the right place.

---
 ipa-server/ipa-install/ipa-replica-prepare |  2 +-
 ipa-server/ipa-upgradeconfig               | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/ipa-server/ipa-install/ipa-replica-prepare b/ipa-server/ipa-install/ipa-replica-prepare
index 07a21826e..eb962b4c1 100644
--- a/ipa-server/ipa-install/ipa-replica-prepare
+++ b/ipa-server/ipa-install/ipa-replica-prepare
@@ -155,10 +155,10 @@ def copy_files(realm_name, dir):
     try:
         shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") 
         shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab") 
+        shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
         if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
             shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
             shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
-            shutil.copy(config_dir + "/cacert.asc", dir + "/ca.crt")
     except Exception, e:
         print "error copying files: " + str(e)
         sys.exit(1)
diff --git a/ipa-server/ipa-upgradeconfig b/ipa-server/ipa-upgradeconfig
index 9f2c6cb92..48c4117d2 100644
--- a/ipa-server/ipa-upgradeconfig
+++ b/ipa-server/ipa-upgradeconfig
@@ -84,6 +84,16 @@ def upgrade(sub_dict, filename, template):
         update_conf(sub_dict, filename, template)
         print "Upgraded %s to version %d" % (filename, new)
 
+def check_certs(realm_name):
+    """Check ca.crt is in the right place, and try to fix if not"""
+    if not os.path.exists("/usr/share/ipa/html/ca.crt"):
+        ca_file = "/etc/dirsrv/slapd-" + ("-".join(realm_name.split("."))) + "/cacert.asc"
+        if os.path.exists(ca_file):
+            shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt")
+        else:
+            print "Missing Certification Authority file."
+            print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"
+
 def main():
     try:
         krbctx = krbV.default_context()
@@ -91,6 +101,11 @@ def main():
         print "Unable to get default kerberos realm: %s" % e[1]
         sys.exit(1)
 
+    try:
+        check_certs(krbctx.default_realm)
+    except Error, e:
+        print "Failed to check CA certificate: %s" % e
+
     try:
         fqdn = find_hostname()
     except IOError:
-- 
cgit