From 3c1ac4d5c9c36c2b99ac2b1d9d86e46b563b4361 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Mon, 27 May 2019 10:00:28 +1000

Subject: [PATCH] ipa-cert-fix: handle 'pki-server cert-fix' failure

When DS cert is expired, 'pki-server cert-fix' will fail at the

final step (restart).  When this case arises, ignore the

CalledProcessError and continue.

We can't know for sure if the error was due to failure of final

restart, or something going wrong earlier.  But if it was a more

serious failure, the next step (installing the renewed IPA-specific

certificates) will fail.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

---

 ipaserver/install/ipa_cert_fix.py | 12 +++++++++++-

 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py

index c8ee51faea9092350c8a182ba55387ddd7b196d8..5d5668b1d89115adcda167222ffc38a0caa690a2 100644

--- a/ipaserver/install/ipa_cert_fix.py

+++ b/ipaserver/install/ipa_cert_fix.py

@@ -113,7 +113,17 @@ class IPACertFix(AdminTool):

             return 0

         print("Proceeding.")

-        run_cert_fix(certs, extra_certs)

+        try:

+            run_cert_fix(certs, extra_certs)

+        except ipautil.CalledProcessError:

+            if any(x[0] is IPACertType.LDAPS for x in extra_certs):

+                # The DS cert was expired.  This will cause

+                # 'pki-server cert-fix' to fail at the final

+                # restart.  Therefore ignore the CalledProcessError

+                # and proceed to installing the IPA-specific certs.

+                pass

+            else:

+                raise  # otherwise re-raise

         replicate_dogtag_certs(subject_base, ca_subject_dn, certs)

         install_ipa_certs(subject_base, ca_subject_dn, extra_certs)

-- 

2.20.1