|
 |
ac7d03 |
From c3ee037c2dd92ccb277523919e991471c9caa3c6 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
ac7d03 |
Date: Tue, 11 Apr 2017 10:21:15 +0200
|
|
|
ac7d03 |
Subject: [PATCH] Fix CA-less to CA-full upgrade
|
|
|
ac7d03 |
|
|
|
ac7d03 |
CertDB would have always created a directory on initialization. This
|
|
|
ac7d03 |
behavior changes here by replacing the truncate argument with create
|
|
|
ac7d03 |
which will only create the database when really required.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
https://pagure.io/freeipa/issue/6853
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipaserver/install/ca.py | 2 ++
|
|
|
ac7d03 |
ipaserver/install/certs.py | 38 ++++++++++++++++++++++++++++----------
|
|
|
ac7d03 |
ipaserver/install/httpinstance.py | 2 +-
|
|
|
ac7d03 |
3 files changed, 31 insertions(+), 11 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
|
|
ac7d03 |
index db3b744a51b0ae2ba12f79c155a1bb0698d94bec..8ee0fda23411563c70b7db5f39f43c2869c108b5 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/ca.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/ca.py
|
|
|
ac7d03 |
@@ -183,6 +183,8 @@ def install_check(standalone, replica_config, options):
|
|
|
ac7d03 |
realm_name, nssdir=dirname, subject_base=options._subject_base)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
for db in (cadb, dsdb):
|
|
|
ac7d03 |
+ if not db.exists():
|
|
|
ac7d03 |
+ continue
|
|
|
ac7d03 |
for nickname, _trust_flags in db.list_certs():
|
|
|
ac7d03 |
if nickname == certdb.get_ca_nickname(realm_name):
|
|
|
ac7d03 |
raise ScriptError(
|
|
|
ac7d03 |
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
|
|
|
ac7d03 |
index 16139f81f0d0bd6889a9f38948204bb5bc018028..89e57134f24c505d669057eefffb7862b3b8179a 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/certs.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/certs.py
|
|
|
ac7d03 |
@@ -99,7 +99,7 @@ class CertDB(object):
|
|
|
ac7d03 |
# TODO: Remove all selfsign code
|
|
|
ac7d03 |
def __init__(self, realm, nssdir, fstore=None,
|
|
|
ac7d03 |
host_name=None, subject_base=None, ca_subject=None,
|
|
|
ac7d03 |
- user=None, group=None, mode=None, truncate=False):
|
|
|
ac7d03 |
+ user=None, group=None, mode=None, create=False):
|
|
|
ac7d03 |
self.nssdb = NSSDatabase(nssdir)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
self.secdir = nssdir
|
|
|
ac7d03 |
@@ -132,15 +132,16 @@ class CertDB(object):
|
|
|
ac7d03 |
self.uid = 0
|
|
|
ac7d03 |
self.gid = 0
|
|
|
ac7d03 |
|
|
|
ac7d03 |
- if not truncate and os.path.exists(self.secdir):
|
|
|
ac7d03 |
- # We are going to set the owner of all of the cert
|
|
|
ac7d03 |
- # files to the owner of the containing directory
|
|
|
ac7d03 |
- # instead of that of the process. This works when
|
|
|
ac7d03 |
- # this is called by root for a daemon that runs as
|
|
|
ac7d03 |
- # a normal user
|
|
|
ac7d03 |
- mode = os.stat(self.secdir)
|
|
|
ac7d03 |
- self.uid = mode[stat.ST_UID]
|
|
|
ac7d03 |
- self.gid = mode[stat.ST_GID]
|
|
|
ac7d03 |
+ if not create:
|
|
|
ac7d03 |
+ if os.path.isdir(self.secdir):
|
|
|
ac7d03 |
+ # We are going to set the owner of all of the cert
|
|
|
ac7d03 |
+ # files to the owner of the containing directory
|
|
|
ac7d03 |
+ # instead of that of the process. This works when
|
|
|
ac7d03 |
+ # this is called by root for a daemon that runs as
|
|
|
ac7d03 |
+ # a normal user
|
|
|
ac7d03 |
+ mode = os.stat(self.secdir)
|
|
|
ac7d03 |
+ self.uid = mode[stat.ST_UID]
|
|
|
ac7d03 |
+ self.gid = mode[stat.ST_GID]
|
|
|
ac7d03 |
else:
|
|
|
ac7d03 |
if user is not None:
|
|
|
ac7d03 |
pu = pwd.getpwnam(user)
|
|
|
ac7d03 |
@@ -162,6 +163,23 @@ class CertDB(object):
|
|
|
ac7d03 |
def passwd_fname(self):
|
|
|
ac7d03 |
return self.nssdb.pwd_file
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ def exists(self):
|
|
|
ac7d03 |
+ """
|
|
|
ac7d03 |
+ Checks whether all NSS database files + our pwd_file exist
|
|
|
ac7d03 |
+ """
|
|
|
ac7d03 |
+ db_files = (
|
|
|
ac7d03 |
+ self.secdir,
|
|
|
ac7d03 |
+ self.certdb_fname,
|
|
|
ac7d03 |
+ self.keydb_fname,
|
|
|
ac7d03 |
+ self.secmod_fname,
|
|
|
ac7d03 |
+ self.nssdb.pwd_file,
|
|
|
ac7d03 |
+ )
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
+ for f in db_files:
|
|
|
ac7d03 |
+ if not os.path.exists(f):
|
|
|
ac7d03 |
+ return False
|
|
|
ac7d03 |
+ return True
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
def __del__(self):
|
|
|
ac7d03 |
if self.reqdir is not None:
|
|
|
ac7d03 |
shutil.rmtree(self.reqdir, ignore_errors=True)
|
|
|
ac7d03 |
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
index 8e444be2d23ec5e7890d221508bc866de2854c89..aeb5c5e450813469e1b6cd374b30cd4aab338537 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/httpinstance.py
|
|
|
ac7d03 |
@@ -366,7 +366,7 @@ class HTTPInstance(service.Service):
|
|
|
ac7d03 |
db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
|
|
|
ac7d03 |
subject_base=self.subject_base, user="root",
|
|
|
ac7d03 |
group=constants.HTTPD_GROUP,
|
|
|
ac7d03 |
- truncate=True)
|
|
|
ac7d03 |
+ create=True)
|
|
|
ac7d03 |
self.disable_system_trust()
|
|
|
ac7d03 |
self.create_password_conf()
|
|
|
ac7d03 |
if self.pkcs12_info:
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.2
|
|
|
ac7d03 |
|