diff options
author | Florence Blanc-Renaud <flo@redhat.com> | 2016-11-09 15:14:27 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-11-25 09:26:22 +0100 |
commit | 044d887e81d433b43c33b076a21fd1054796786e (patch) | |
tree | fd3ab4eb1e8003e006ed75eb0ef80e383cc3aa0f /ipaserver/install | |
parent | e617f895e70e6812836870f504af6e22a5dc7def (diff) | |
download | freeipa-044d887e81d433b43c33b076a21fd1054796786e.tar.gz freeipa-044d887e81d433b43c33b076a21fd1054796786e.tar.xz freeipa-044d887e81d433b43c33b076a21fd1054796786e.zip |
Fix ipa-replica-install when upgrade from ca-less to ca-full
When ipa-replica-prepare is run on a master upgraded from CA-less to
CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt.
This causes issues if this file hasn't been updated with ipa-certupdate,
as it contains the external CA that signed http/ldap certs, but not
the newly installed IPA CA.
As a consequence, ipa-replica-install fails with "Could not find a CA cert".
The fix consists in retrieving the CA certificates from LDAP instead of
the local /etc/ipa/ca.crt.
https://fedorahosted.org/freeipa/ticket/6375
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 9 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 8 |
2 files changed, 12 insertions, 5 deletions
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 227d296eb..dd75eb116 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -34,6 +34,7 @@ from six.moves.configparser import SafeConfigParser from ipaserver.install import certs, installutils, bindinstance, dsinstance from ipaserver.install.replication import enable_replication_version_checking +from ipaserver.install.server.replicainstall import install_ca_cert from ipaserver.install.bindinstance import ( add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists) from ipapython import ipautil, admintool @@ -356,6 +357,7 @@ class ReplicaPrepare(admintool.AdminTool): if options.setup_pkinit: self.copy_pkinit_certificate() + self.retrieve_ca_certs() self.copy_misc_files() self.save_config() @@ -443,12 +445,17 @@ class ReplicaPrepare(admintool.AdminTool): def copy_misc_files(self): self.log.info("Copying additional files") - self.copy_info_file(CACERT, "ca.crt") cacert_filename = paths.CACERT_PEM if ipautil.file_exists(cacert_filename): self.copy_info_file(cacert_filename, "cacert.pem") self.copy_info_file(paths.IPA_DEFAULT_CONF, "default.conf") + def retrieve_ca_certs(self): + self.log.info("Retrieving CA certificates") + dest = os.path.join(self.dir, "ca.crt") + install_ca_cert(api.Backend.ldap2, api.env.basedn, + api.env.realm, paths.IPA_CA_CRT, destfile=dest) + def save_config(self): self.log.info("Finalizing configuration") diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 1889bb084..f3aa482dd 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -127,22 +127,22 @@ def install_krb(config, setup_pkinit=False, promote=False): return krb -def install_ca_cert(ldap, base_dn, realm, cafile): +def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT): try: try: certs = certstore.get_ca_certs(ldap, base_dn, realm, False) except errors.NotFound: try: - shutil.copy(cafile, paths.IPA_CA_CRT) + shutil.copy(cafile, destfile) except shutil.Error: # cafile == IPA_CA_CRT pass else: certs = [c[0] for c in certs if c[2] is not False] - x509.write_certificate_list(certs, paths.IPA_CA_CRT) + x509.write_certificate_list(certs, destfile) except Exception as e: raise ScriptError("error copying files: " + str(e)) - return paths.IPA_CA_CRT + return destfile def install_http(config, auto_redirect, ca_is_configured, ca_file, |