rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   0ac888370422180a00764a82ca841d9c0b64d317
  2.   SOURCES
  3.   0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
Blob History Raw
0ac888 
From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
0ac888 
From: Rob Crittenden <rcritten@redhat.com>
0ac888 
Date: Mon, 30 Aug 2021 16:44:47 -0400
0ac888 
Subject: [PATCH] Catch and log errors when adding CA profiles
0ac888
0ac888 
Rather than stopping the installer entirely, catch and report
0ac888 
errors adding new certificate profiles, and remove the
0ac888 
broken profile entry from LDAP so it may be re-added later.
0ac888
0ac888 
It was discovered that installing a newer IPA that has the
0ac888 
ACME profile which requires sanToCNDefault will fail when
0ac888 
installing a new server against a very old one that lacks
0ac888 
this class.
0ac888
0ac888 
Running ipa-server-upgrade post-install will add the profile
0ac888 
and generate the missing ipa-ca SAN record so that ACME
0ac888 
can work.
0ac888
0ac888 
https://pagure.io/freeipa/issue/8974
0ac888
0ac888 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
0ac888 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
0ac888 
---
0ac888 
 ipaserver/install/cainstance.py | 13 +++++++++++--
0ac888 
 1 file changed, 11 insertions(+), 2 deletions(-)
0ac888
0ac888 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
0ac888 
index 9e842b33e..8c8bf1b3a 100644
0ac888 
--- a/ipaserver/install/cainstance.py
0ac888 
+++ b/ipaserver/install/cainstance.py
0ac888 
@@ -1973,8 +1973,17 @@ def import_included_profiles():
0ac888
0ac888 
             # Create the profile, replacing any existing profile of same name
0ac888 
             profile_data = __get_profile_config(profile_id)
0ac888 
-            _create_dogtag_profile(profile_id, profile_data, overwrite=True)
0ac888 
-            logger.debug("Imported profile '%s'", profile_id)
0ac888 
+            try:
0ac888 
+                _create_dogtag_profile(profile_id, profile_data,
0ac888 
+                                       overwrite=True)
0ac888 
+            except errors.HTTPRequestError as e:
0ac888 
+                logger.warning("Failed to import profile '%s': %s. Running "
0ac888 
+                               "ipa-server-upgrade when installation is "
0ac888 
+                               "completed may resolve this issue.",
0ac888 
+                               profile_id, e)
0ac888 
+                conn.delete_entry(entry)
0ac888 
+            else:
0ac888 
+                logger.debug("Imported profile '%s'", profile_id)
0ac888 
         else:
0ac888 
             logger.debug(
0ac888 
                 "Profile '%s' is already in LDAP; skipping", profile_id
0ac888 
--
0ac888 
2.31.1
0ac888

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation