From 1aa3f7a7fd24c651aafde150351328148fd517be Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Thu, 6 May 2021 14:10:44 -0400

Subject: [PATCH] Only attempt to upgrade ACME configuration files if deployed

This can happen on upgrades from older deployments that lack

an ACME installation and don't meet the minimum requirements

to deploy one automatically.

Also don't consider missing ACME schema a total failure, just

log and skip it.

https://pagure.io/freeipa/issue/8832

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

 ipaserver/install/server/upgrade.py | 13 ++++++++++++-

 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index e60524084..75bf26b8e 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -1122,7 +1122,8 @@ def ca_upgrade_schema(ca):

             acme_schema_ldif = path

             break

     else:

-        raise RuntimeError('ACME schema file not found')

+        logger.info('ACME schema is not available')

+        return False

     schema_files=[

         '/usr/share/pki/server/conf/schema-certProfile.ldif',

@@ -1530,6 +1531,16 @@ def ca_update_acme_configuration(ca, fqdn):

     """

     Re-apply the templates in case anyting has been updated.

     """

+    logger.info('[Updating ACME configuration]')

+    if not os.path.isdir(os.path.join(paths.PKI_TOMCAT, 'acme')):

+        logger.info('ACME is not deployed, skipping')

+        return

+

+    if not os.path.exists(paths.PKI_ACME_ISSUER_CONF):

+        logger.info('ACME configuration file %s is missing',

+                    paths.PKI_ACME_ISSUER_CONF)

+        return

+

     password = directivesetter.get_directive(

         paths.PKI_ACME_ISSUER_CONF,

         'password',

-- 

2.31.1