diff options
author | Florence Blanc-Renaud <flo@redhat.com> | 2017-08-28 10:50:58 +0200 |
---|---|---|
committer | Stanislav Laznicka <slaznick@redhat.com> | 2017-08-30 12:47:53 +0200 |
commit | 69bda6b440d6b84f042ff74b9ce708d963616eda (patch) | |
tree | 64273f98ec9faa81fde59a42ed17bb78d5bc477b /ipalib | |
parent | 1b78f79283e633abc5dd901ca4db99cea36aca1a (diff) | |
download | freeipa-69bda6b440d6b84f042ff74b9ce708d963616eda.tar.gz freeipa-69bda6b440d6b84f042ff74b9ce708d963616eda.tar.xz freeipa-69bda6b440d6b84f042ff74b9ce708d963616eda.zip |
Fix ipa-server-upgrade: This entry already exists
ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin
finds all CA certificates in /etc/httpd/alias and uploads them in LDAP
below cn=certificates,cn=ipa,cn=etc,$BASEDN.
The issue happens because there is already an entry in LDAP for IPA CA, but
with a different DN. The nickname in /etc/httpd/alias can differ from
$DOMAIN IPA CA.
To avoid the issue:
1/ during upgrade, run a new plugin that removes duplicates and restarts ldap
(to make sure that uniqueness attr plugin is working after the new plugin)
2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of
cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA.
https://pagure.io/freeipa/issue/7125
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/install/certstore.py | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py index 481918b99..8b182958c 100644 --- a/ipalib/install/certstore.py +++ b/ipalib/install/certstore.py @@ -27,6 +27,7 @@ from pyasn1.error import PyAsn1Error from ipapython.dn import DN from ipapython.certdb import get_ca_nickname, TrustFlags from ipalib import errors, x509 +from ipalib.constants import IPA_CA_CN def _parse_cert(cert): @@ -385,3 +386,21 @@ def get_ca_certs_nss(ldap, base_dn, compat_realm, compat_ipa_ca, nss_certs.append((cert, nickname, trust_flags)) return nss_certs + + +def get_ca_subject(ldap, container_ca, base_dn): + """ + Look for the IPA CA certificate subject. + """ + dn = DN(('cn', IPA_CA_CN), container_ca, base_dn) + try: + cacert_subject = ldap.get_entry(dn)['ipacasubjectdn'][0] + except errors.NotFound: + # if the entry doesn't exist, we are dealing with a pre-v4.4 + # installation, where the default CA subject was always based + # on the subject_base. + attrs = ldap.get_ipa_config() + subject_base = attrs.get('ipacertificatesubjectbase')[0] + cacert_subject = DN(('CN', 'Certificate Authority'), subject_base) + + return cacert_subject |