|
 |
b39a24 |
From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
|
|
|
b39a24 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
b39a24 |
Date: Mon, 30 Aug 2021 16:44:47 -0400
|
|
|
b39a24 |
Subject: [PATCH] Catch and log errors when adding CA profiles
|
|
|
b39a24 |
|
|
|
b39a24 |
Rather than stopping the installer entirely, catch and report
|
|
|
b39a24 |
errors adding new certificate profiles, and remove the
|
|
|
b39a24 |
broken profile entry from LDAP so it may be re-added later.
|
|
|
b39a24 |
|
|
|
b39a24 |
It was discovered that installing a newer IPA that has the
|
|
|
b39a24 |
ACME profile which requires sanToCNDefault will fail when
|
|
|
b39a24 |
installing a new server against a very old one that lacks
|
|
|
b39a24 |
this class.
|
|
|
b39a24 |
|
|
|
b39a24 |
Running ipa-server-upgrade post-install will add the profile
|
|
|
b39a24 |
and generate the missing ipa-ca SAN record so that ACME
|
|
|
b39a24 |
can work.
|
|
|
b39a24 |
|
|
|
b39a24 |
https://pagure.io/freeipa/issue/8974
|
|
|
b39a24 |
|
|
|
b39a24 |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
b39a24 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
b39a24 |
---
|
|
|
b39a24 |
ipaserver/install/cainstance.py | 13 +++++++++++--
|
|
|
b39a24 |
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
b39a24 |
|
|
|
b39a24 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
b39a24 |
index 9e842b33e..8c8bf1b3a 100644
|
|
|
b39a24 |
--- a/ipaserver/install/cainstance.py
|
|
|
b39a24 |
+++ b/ipaserver/install/cainstance.py
|
|
|
b39a24 |
@@ -1973,8 +1973,17 @@ def import_included_profiles():
|
|
|
b39a24 |
|
|
|
b39a24 |
# Create the profile, replacing any existing profile of same name
|
|
|
b39a24 |
profile_data = __get_profile_config(profile_id)
|
|
|
b39a24 |
- _create_dogtag_profile(profile_id, profile_data, overwrite=True)
|
|
|
b39a24 |
- logger.debug("Imported profile '%s'", profile_id)
|
|
|
b39a24 |
+ try:
|
|
|
b39a24 |
+ _create_dogtag_profile(profile_id, profile_data,
|
|
|
b39a24 |
+ overwrite=True)
|
|
|
b39a24 |
+ except errors.HTTPRequestError as e:
|
|
|
b39a24 |
+ logger.warning("Failed to import profile '%s': %s. Running "
|
|
|
b39a24 |
+ "ipa-server-upgrade when installation is "
|
|
|
b39a24 |
+ "completed may resolve this issue.",
|
|
|
b39a24 |
+ profile_id, e)
|
|
|
b39a24 |
+ conn.delete_entry(entry)
|
|
|
b39a24 |
+ else:
|
|
|
b39a24 |
+ logger.debug("Imported profile '%s'", profile_id)
|
|
|
b39a24 |
else:
|
|
|
b39a24 |
logger.debug(
|
|
|
b39a24 |
"Profile '%s' is already in LDAP; skipping", profile_id
|
|
|
b39a24 |
--
|
|
|
b39a24 |
2.31.1
|
|
|
b39a24 |
|