From ba42557e2acb526587b07956e75a2a1394882771 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Tue, 28 Feb 2017 10:55:54 +0000

Subject: [PATCH] server upgrade: always fix certmonger tracking request

Fix certmonger tracking requests on every run of ipa-server-upgrade rather

than only when the tracking configuration has changed and the requests have

not yet been updated.

This allows fixing broken tracking requests just by re-running

ipa-server-upgrade.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

 ipaserver/install/server/upgrade.py | 28 +++++++---------------------

 1 file changed, 7 insertions(+), 21 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index 7b0476d442902f2c3dc65819d54953e820f5e560..855056dc1fa20e813d82ecc5090a14cfc4f91831 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -905,8 +905,6 @@ def certificate_renewal_update(ca, ds, http):

     template = paths.CERTMONGER_COMMAND_TEMPLATE

     serverid = installutils.realm_to_serverid(api.env.realm)

-    # bump version when requests is changed

-    version = 6

     requests = [

         {

             'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,

@@ -971,25 +969,17 @@ def certificate_renewal_update(ca, ds, http):

         }

     ]

-    root_logger.info("[Update certmonger certificate renewal configuration to "

-                     "version %d]" % version)

+    root_logger.info("[Update certmonger certificate renewal configuration]")

     if not ca.is_configured():

         root_logger.info('CA is not configured')

         return False

-    state = 'certificate_renewal_update_%d' % version

-    if sysupgrade.get_upgrade_state('dogtag', state):

-        return False

-

     # State not set, lets see if we are already configured

     for request in requests:

         request_id = certmonger.get_request_id(request)

         if request_id is None:

             break

     else:

-        sysupgrade.set_upgrade_state('dogtag', state, True)

-        root_logger.info("Certmonger certificate renewal configuration is "

-                         "already at version %d" % version)

         return False

     # Ok, now we need to stop tracking, then we can start tracking them

@@ -998,13 +988,11 @@ def certificate_renewal_update(ca, ds, http):

     ds.stop_tracking_certificates(serverid)

     http.stop_tracking_certificates()

-    if not sysupgrade.get_upgrade_state('dogtag',

-                                        'certificate_renewal_update_1'):

-        filename = paths.CERTMONGER_CAS_CA_RENEWAL

-        if os.path.exists(filename):

-            with installutils.stopped_service('certmonger'):

-                root_logger.info("Removing %s" % filename)

-                installutils.remove_file(filename)

+    filename = paths.CERTMONGER_CAS_CA_RENEWAL

+    if os.path.exists(filename):

+        with installutils.stopped_service('certmonger'):

+            root_logger.info("Removing %s" % filename)

+            installutils.remove_file(filename)

     ca.configure_certmonger_renewal()

     ca.configure_renewal()

@@ -1013,9 +1001,7 @@ def certificate_renewal_update(ca, ds, http):

     ds.start_tracking_certificates(serverid)

     http.start_tracking_certificates()

-    sysupgrade.set_upgrade_state('dogtag', state, True)

-    root_logger.info("Certmonger certificate renewal configuration updated to "

-                     "version %d" % version)

+    root_logger.info("Certmonger certificate renewal configuration updated")

     return True

 def copy_crl_file(old_path, new_path=None):

-- 

2.9.3