From c3ee037c2dd92ccb277523919e991471c9caa3c6 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Tue, 11 Apr 2017 10:21:15 +0200
Subject: [PATCH] Fix CA-less to CA-full upgrade
CertDB would have always created a directory on initialization. This
behavior changes here by replacing the truncate argument with create
which will only create the database when really required.
https://pagure.io/freeipa/issue/6853
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
ipaserver/install/ca.py | 2 ++
ipaserver/install/certs.py | 38 ++++++++++++++++++++++++++++----------
ipaserver/install/httpinstance.py | 2 +-
3 files changed, 31 insertions(+), 11 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index db3b744a51b0ae2ba12f79c155a1bb0698d94bec..8ee0fda23411563c70b7db5f39f43c2869c108b5 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -183,6 +183,8 @@ def install_check(standalone, replica_config, options):
realm_name, nssdir=dirname, subject_base=options._subject_base)
for db in (cadb, dsdb):
+ if not db.exists():
+ continue
for nickname, _trust_flags in db.list_certs():
if nickname == certdb.get_ca_nickname(realm_name):
raise ScriptError(
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 16139f81f0d0bd6889a9f38948204bb5bc018028..89e57134f24c505d669057eefffb7862b3b8179a 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -99,7 +99,7 @@ class CertDB(object):
# TODO: Remove all selfsign code
def __init__(self, realm, nssdir, fstore=None,
host_name=None, subject_base=None, ca_subject=None,
- user=None, group=None, mode=None, truncate=False):
+ user=None, group=None, mode=None, create=False):
self.nssdb = NSSDatabase(nssdir)
self.secdir = nssdir
@@ -132,15 +132,16 @@ class CertDB(object):
self.uid = 0
self.gid = 0
- if not truncate and os.path.exists(self.secdir):
- # We are going to set the owner of all of the cert
- # files to the owner of the containing directory
- # instead of that of the process. This works when
- # this is called by root for a daemon that runs as
- # a normal user
- mode = os.stat(self.secdir)
- self.uid = mode[stat.ST_UID]
- self.gid = mode[stat.ST_GID]
+ if not create:
+ if os.path.isdir(self.secdir):
+ # We are going to set the owner of all of the cert
+ # files to the owner of the containing directory
+ # instead of that of the process. This works when
+ # this is called by root for a daemon that runs as
+ # a normal user
+ mode = os.stat(self.secdir)
+ self.uid = mode[stat.ST_UID]
+ self.gid = mode[stat.ST_GID]
else:
if user is not None:
pu = pwd.getpwnam(user)
@@ -162,6 +163,23 @@ class CertDB(object):
def passwd_fname(self):
return self.nssdb.pwd_file
+ def exists(self):
+ """
+ Checks whether all NSS database files + our pwd_file exist
+ """
+ db_files = (
+ self.secdir,
+ self.certdb_fname,
+ self.keydb_fname,
+ self.secmod_fname,
+ self.nssdb.pwd_file,
+ )
+
+ for f in db_files:
+ if not os.path.exists(f):
+ return False
+ return True
+
def __del__(self):
if self.reqdir is not None:
shutil.rmtree(self.reqdir, ignore_errors=True)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 8e444be2d23ec5e7890d221508bc866de2854c89..aeb5c5e450813469e1b6cd374b30cd4aab338537 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -366,7 +366,7 @@ class HTTPInstance(service.Service):
db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
subject_base=self.subject_base, user="root",
group=constants.HTTPD_GROUP,
- truncate=True)
+ create=True)
self.disable_system_trust()
self.create_password_conf()
if self.pkcs12_info:
--
2.12.2