diff options
author | Jan Cholasta <jcholast@redhat.com> | 2017-02-16 11:13:13 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-20 13:00:50 +0000 |
commit | 97e838e10da3b42e3605d230e0b8e01b9148876f (patch) | |
tree | 6158e278206a6e66d976a40a49a39624e9f5ea02 | |
parent | ba8a10fbdb39cab672038e1a6dc9c7507070cdf9 (diff) | |
download | freeipa-97e838e10da3b42e3605d230e0b8e01b9148876f.tar.gz freeipa-97e838e10da3b42e3605d230e0b8e01b9148876f.tar.xz freeipa-97e838e10da3b42e3605d230e0b8e01b9148876f.zip |
server upgrade: fix upgrade from pre-4.0
update_ca_renewal_master uses ipaCert certmonger tracking information to
decide whether the local server is the CA renewal master or not. The
information is lost when migrating from /etc/httpd/alias to
/var/lib/ipa/radb in update_ra_cert_store.
Make sure update_ra_cert_store is executed after update_ca_renewal_master
so that correct information is used.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
-rw-r--r-- | install/updates/05-pre_upgrade_plugins.update | 1 | ||||
-rw-r--r-- | install/updates/90-post_upgrade_plugins.update | 2 | ||||
-rw-r--r-- | ipaserver/install/plugins/ca_renewal_master.py | 2 |
3 files changed, 3 insertions, 2 deletions
diff --git a/install/updates/05-pre_upgrade_plugins.update b/install/updates/05-pre_upgrade_plugins.update index 19918efc6..d0e3eb7ce 100644 --- a/install/updates/05-pre_upgrade_plugins.update +++ b/install/updates/05-pre_upgrade_plugins.update @@ -8,4 +8,3 @@ plugin: update_referint plugin: update_uniqueness_plugins_to_new_syntax # last -plugin: update_ra_cert_store diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 7c672e404..34069e745 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -15,6 +15,8 @@ plugin: update_idrange_type plugin: update_pacs plugin: update_service_principalalias plugin: update_upload_cacrt +# update_ra_cert_store has to be executed after update_ca_renewal_master +plugin: update_ra_cert_store # last # DNS version 1 diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index 4fa4edb12..2447a3406 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -74,7 +74,7 @@ class update_ca_renewal_master(Updater): return False, [] criteria = { - 'cert-database': paths.IPA_RADB_DIR, + 'cert-database': paths.HTTPD_ALIAS_DIR, 'cert-nickname': 'ipaCert', } request_id = certmonger.get_request_id(criteria) |