Blame SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch

b39a24
From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
b39a24
From: Rob Crittenden <rcritten@redhat.com>
b39a24
Date: Mon, 30 Aug 2021 16:44:47 -0400
b39a24
Subject: [PATCH] Catch and log errors when adding CA profiles
b39a24
b39a24
Rather than stopping the installer entirely, catch and report
b39a24
errors adding new certificate profiles, and remove the
b39a24
broken profile entry from LDAP so it may be re-added later.
b39a24
b39a24
It was discovered that installing a newer IPA that has the
b39a24
ACME profile which requires sanToCNDefault will fail when
b39a24
installing a new server against a very old one that lacks
b39a24
this class.
b39a24
b39a24
Running ipa-server-upgrade post-install will add the profile
b39a24
and generate the missing ipa-ca SAN record so that ACME
b39a24
can work.
b39a24
b39a24
https://pagure.io/freeipa/issue/8974
b39a24
b39a24
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
b39a24
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
b39a24
---
b39a24
 ipaserver/install/cainstance.py | 13 +++++++++++--
b39a24
 1 file changed, 11 insertions(+), 2 deletions(-)
b39a24
b39a24
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
b39a24
index 9e842b33e..8c8bf1b3a 100644
b39a24
--- a/ipaserver/install/cainstance.py
b39a24
+++ b/ipaserver/install/cainstance.py
b39a24
@@ -1973,8 +1973,17 @@ def import_included_profiles():
b39a24
 
b39a24
             # Create the profile, replacing any existing profile of same name
b39a24
             profile_data = __get_profile_config(profile_id)
b39a24
-            _create_dogtag_profile(profile_id, profile_data, overwrite=True)
b39a24
-            logger.debug("Imported profile '%s'", profile_id)
b39a24
+            try:
b39a24
+                _create_dogtag_profile(profile_id, profile_data,
b39a24
+                                       overwrite=True)
b39a24
+            except errors.HTTPRequestError as e:
b39a24
+                logger.warning("Failed to import profile '%s': %s. Running "
b39a24
+                               "ipa-server-upgrade when installation is "
b39a24
+                               "completed may resolve this issue.",
b39a24
+                               profile_id, e)
b39a24
+                conn.delete_entry(entry)
b39a24
+            else:
b39a24
+                logger.debug("Imported profile '%s'", profile_id)
b39a24
         else:
b39a24
             logger.debug(
b39a24
                 "Profile '%s' is already in LDAP; skipping", profile_id
b39a24
-- 
b39a24
2.31.1
b39a24