From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 30 Aug 2021 16:44:47 -0400 Subject: [PATCH] Catch and log errors when adding CA profiles Rather than stopping the installer entirely, catch and report errors adding new certificate profiles, and remove the broken profile entry from LDAP so it may be re-added later. It was discovered that installing a newer IPA that has the ACME profile which requires sanToCNDefault will fail when installing a new server against a very old one that lacks this class. Running ipa-server-upgrade post-install will add the profile and generate the missing ipa-ca SAN record so that ACME can work. https://pagure.io/freeipa/issue/8974 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipaserver/install/cainstance.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 9e842b33e..8c8bf1b3a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1973,8 +1973,17 @@ def import_included_profiles(): # Create the profile, replacing any existing profile of same name profile_data = __get_profile_config(profile_id) - _create_dogtag_profile(profile_id, profile_data, overwrite=True) - logger.debug("Imported profile '%s'", profile_id) + try: + _create_dogtag_profile(profile_id, profile_data, + overwrite=True) + except errors.HTTPRequestError as e: + logger.warning("Failed to import profile '%s': %s. Running " + "ipa-server-upgrade when installation is " + "completed may resolve this issue.", + profile_id, e) + conn.delete_entry(entry) + else: + logger.debug("Imported profile '%s'", profile_id) else: logger.debug( "Profile '%s' is already in LDAP; skipping", profile_id -- 2.31.1