From 3c1ac4d5c9c36c2b99ac2b1d9d86e46b563b4361 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 27 May 2019 10:00:28 +1000
Subject: [PATCH] ipa-cert-fix: handle 'pki-server cert-fix' failure

When DS cert is expired, 'pki-server cert-fix' will fail at the
final step (restart).  When this case arises, ignore the
CalledProcessError and continue.

We can't know for sure if the error was due to failure of final
restart, or something going wrong earlier.  But if it was a more
serious failure, the next step (installing the renewed IPA-specific
certificates) will fail.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipaserver/install/ipa_cert_fix.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index c8ee51faea9092350c8a182ba55387ddd7b196d8..5d5668b1d89115adcda167222ffc38a0caa690a2 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -113,7 +113,17 @@ class IPACertFix(AdminTool):
             return 0
         print("Proceeding.")
 
-        run_cert_fix(certs, extra_certs)
+        try:
+            run_cert_fix(certs, extra_certs)
+        except ipautil.CalledProcessError:
+            if any(x[0] is IPACertType.LDAPS for x in extra_certs):
+                # The DS cert was expired.  This will cause
+                # 'pki-server cert-fix' to fail at the final
+                # restart.  Therefore ignore the CalledProcessError
+                # and proceed to installing the IPA-specific certs.
+                pass
+            else:
+                raise  # otherwise re-raise
 
         replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
         install_ipa_certs(subject_base, ca_subject_dn, extra_certs)
-- 
2.20.1