|
 |
f65af0 |
From fb346fab2495a9343ed68131c0ebf071e3e9654f Mon Sep 17 00:00:00 2001
|
|
|
979ee0 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
979ee0 |
Date: Mon, 9 Jul 2018 13:53:44 +0200
|
|
|
979ee0 |
Subject: [PATCH] Wait for client certificates
|
|
|
979ee0 |
|
|
|
979ee0 |
ipa-client-install --request-cert now waits until certmonger has
|
|
|
979ee0 |
provided a host certificate. In case of an error, ipa-client-install no
|
|
|
979ee0 |
longer pretents to success but fails with an error code.
|
|
|
979ee0 |
|
|
|
979ee0 |
The --request-cert option also ensures that certmonger is enabled and
|
|
|
979ee0 |
running.
|
|
|
979ee0 |
|
|
|
979ee0 |
See: Fixes: https://pagure.io/freeipa/issue/7623
|
|
|
979ee0 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
f65af0 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
979ee0 |
---
|
|
|
979ee0 |
ipaclient/install/client.py | 25 ++++++++++++++++++-------
|
|
|
979ee0 |
1 file changed, 18 insertions(+), 7 deletions(-)
|
|
|
979ee0 |
|
|
|
979ee0 |
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
|
|
|
f65af0 |
index 5173d90bfeb61acab6032f2972dcc4a0d1344094..0fbe31b762561b3e2ee2f35a666a93de8857bced 100644
|
|
|
979ee0 |
--- a/ipaclient/install/client.py
|
|
|
979ee0 |
+++ b/ipaclient/install/client.py
|
|
|
f65af0 |
@@ -775,6 +775,7 @@ def configure_certmonger(
|
|
|
979ee0 |
cmonger = services.knownservices.certmonger
|
|
|
979ee0 |
try:
|
|
|
979ee0 |
cmonger.enable()
|
|
|
979ee0 |
+ cmonger.start()
|
|
|
979ee0 |
except Exception as e:
|
|
|
f65af0 |
logger.error(
|
|
|
979ee0 |
"Failed to configure automatic startup of the %s daemon: %s",
|
|
|
f65af0 |
@@ -786,14 +787,24 @@ def configure_certmonger(
|
|
|
979ee0 |
subject = str(DN(('CN', hostname), subject_base))
|
|
|
979ee0 |
passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
|
|
|
979ee0 |
try:
|
|
|
979ee0 |
- certmonger.request_cert(
|
|
|
979ee0 |
+ certmonger.request_and_wait_for_cert(
|
|
|
979ee0 |
certpath=paths.IPA_NSSDB_DIR,
|
|
|
979ee0 |
- nickname='Local IPA host', subject=subject, dns=[hostname],
|
|
|
979ee0 |
- principal=principal, passwd_fname=passwd_fname)
|
|
|
979ee0 |
- except Exception as ex:
|
|
|
f65af0 |
- logger.error(
|
|
|
979ee0 |
- "%s request for host certificate failed: %s",
|
|
|
979ee0 |
- cmonger.service_name, ex)
|
|
|
979ee0 |
+ storage='NSSDB',
|
|
|
979ee0 |
+ nickname='Local IPA host',
|
|
|
979ee0 |
+ subject=subject,
|
|
|
979ee0 |
+ dns=[hostname],
|
|
|
979ee0 |
+ principal=principal,
|
|
|
979ee0 |
+ passwd_fname=passwd_fname,
|
|
|
979ee0 |
+ resubmit_timeout=120,
|
|
|
979ee0 |
+ )
|
|
|
979ee0 |
+ except Exception as e:
|
|
|
f65af0 |
+ logger.exception("certmonger request failed")
|
|
|
979ee0 |
+ raise ScriptError(
|
|
|
979ee0 |
+ "{} request for host certificate failed: {}".format(
|
|
|
979ee0 |
+ cmonger.service_name, e
|
|
|
979ee0 |
+ ),
|
|
|
979ee0 |
+ rval=CLIENT_INSTALL_ERROR
|
|
|
979ee0 |
+ )
|
|
|
979ee0 |
|
|
|
979ee0 |
|
|
|
979ee0 |
def configure_sssd_conf(
|
|
|
979ee0 |
--
|
|
|
979ee0 |
2.17.1
|
|
|
979ee0 |
|