cert-request: raise CertificateOperationError if CA disabled

Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.

Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

1 files changed, 10 insertions, 2 deletions

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 8da18697f..68fc2bf7c 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -749,8 +749,16 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                     info=_("Subject alt name type %s is forbidden") % desc)
 
         # Request the certificate
-        result = self.Backend.ra.request_certificate(
-            csr, profile_id, ca_id, request_type=request_type)
+        try:
+            result = self.Backend.ra.request_certificate(
+                csr, profile_id, ca_id, request_type=request_type)
+        except errors.HTTPRequestError as e:
+            if e.status == 409:  # pylint: disable=no-member
+                raise errors.CertificateOperationError(
+                    error=_("CA '%s' is disabled") % ca)
+            else:
+                raise e
+
         if not raw:
             self.obj._parse(result, all)
             result['request_id'] = int(result['request_id'])