diff options
| author | Florence Blanc-Renaud <flo@redhat.com> | 2016-11-29 21:15:29 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-11-30 16:33:54 +0100 |
| commit | dbb98765d73519289ee22f3de1a5ccde140f6f5d (patch) | |
| tree | 30c80785e4ffa2f55216d0a8a304cf55bfe30897 | |
| parent | 503d0929e9265dfc0c6c28ac49146b72a0a7edea (diff) | |
| download | freeipa-dbb98765d73519289ee22f3de1a5ccde140f6f5d.tar.gz freeipa-dbb98765d73519289ee22f3de1a5ccde140f6f5d.tar.xz freeipa-dbb98765d73519289ee22f3de1a5ccde140f6f5d.zip | |
Check the result of cert request in replica installer
When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.
Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:
[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
https://fedorahosted.org/freeipa/ticket/6514
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
| -rw-r--r-- | ipalib/install/certmonger.py | 3 | ||||
| -rw-r--r-- | ipaserver/install/certs.py | 12 |
2 files changed, 7 insertions, 8 deletions
diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 6f0948af6..3ea900b18 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -312,9 +312,10 @@ def request_and_wait_for_cert( state = wait_for_request(reqId, timeout=60) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: - raise RuntimeError("Certificate issuance failed") + raise RuntimeError("Certificate issuance failed ({})".format(state)) return reqId + def request_cert( nssdb, nickname, subject, principal, passwd_fname=None, dns=None, ca='IPA', profile=None, pre_command=None, post_command=None): diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index ab2379b1e..45602baa6 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -647,13 +647,11 @@ class CertDB(object): def request_service_cert(self, nickname, principal, host, pwdconf=False): if pwdconf: self.create_password_conf() - reqid = certmonger.request_cert(nssdb=self.secdir, - nickname=nickname, - principal=principal, - subject=host, - passwd_fname=self.passwd_fname) - # Now wait for the cert to appear. Check three times then abort - certmonger.wait_for_request(reqid, timeout=60) + certmonger.request_and_wait_for_cert(nssdb=self.secdir, + nickname=nickname, + principal=principal, + subject=host, + passwd_fname=self.passwd_fname) class _CrossProcessLock(object): |