Fix ipa-replica-install when upgrade from ca-less to ca-full

When ipa-replica-prepare is run on a master upgraded from CA-less to CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt. This causes issues if this file hasn't been updated with ipa-certupdate, as it contains the external CA that signed http/ldap certs, but not the newly installed IPA CA. As a consequence, ipa-replica-install fails with "Could not find a CA cert". The fix consists in retrieving the CA certificates from LDAP instead of the local /etc/ipa/ca.crt. https://fedorahosted.org/freeipa/ticket/6375 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-11-09 15:14:27 +01:00
parent e617f895e7
commit 044d887e81
2 changed files with 12 additions and 5 deletions
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -34,6 +34,7 @@ from six.moves.configparser import SafeConfigParser

 from ipaserver.install import certs, installutils, bindinstance, dsinstance
 from ipaserver.install.replication import enable_replication_version_checking
+from ipaserver.install.server.replicainstall import install_ca_cert
 from ipaserver.install.bindinstance import (
    add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists)
 from ipapython import ipautil, admintool
@@ -356,6 +357,7 @@ class ReplicaPrepare(admintool.AdminTool):
            if options.setup_pkinit:
                self.copy_pkinit_certificate()

+            self.retrieve_ca_certs()
            self.copy_misc_files()

            self.save_config()
@@ -443,12 +445,17 @@ class ReplicaPrepare(admintool.AdminTool):
    def copy_misc_files(self):
        self.log.info("Copying additional files")

-        self.copy_info_file(CACERT, "ca.crt")
        cacert_filename = paths.CACERT_PEM
        if ipautil.file_exists(cacert_filename):
            self.copy_info_file(cacert_filename, "cacert.pem")
        self.copy_info_file(paths.IPA_DEFAULT_CONF, "default.conf")

+    def retrieve_ca_certs(self):
+        self.log.info("Retrieving CA certificates")
+        dest = os.path.join(self.dir, "ca.crt")
+        install_ca_cert(api.Backend.ldap2, api.env.basedn,
+                        api.env.realm, paths.IPA_CA_CRT, destfile=dest)
+
    def save_config(self):
        self.log.info("Finalizing configuration")

--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -127,22 +127,22 @@ def install_krb(config, setup_pkinit=False, promote=False):
    return krb


-def install_ca_cert(ldap, base_dn, realm, cafile):
+def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT):
    try:
        try:
            certs = certstore.get_ca_certs(ldap, base_dn, realm, False)
        except errors.NotFound:
            try:
-                shutil.copy(cafile, paths.IPA_CA_CRT)
+                shutil.copy(cafile, destfile)
            except shutil.Error:
                # cafile == IPA_CA_CRT
                pass
        else:
            certs = [c[0] for c in certs if c[2] is not False]
-            x509.write_certificate_list(certs, paths.IPA_CA_CRT)
+            x509.write_certificate_list(certs, destfile)
    except Exception as e:
        raise ScriptError("error copying files: " + str(e))
-    return paths.IPA_CA_CRT
+    return destfile


 def install_http(config, auto_redirect, ca_is_configured, ca_file,