mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Properly stop tracking certificates on uninstall
Stopping certificate tracking was done as part of the PKI DS uninstall. Since with the merged DB, thePKI DS is not used any more, this step was skipped. Move certificate untracking to a separate step and call it separately. Also, the post-uninstall check for tracked certificates used the wrong set of Dogtag constants. Fix the issue.
This commit is contained in:
parent
5fa3455764
commit
17f91dac55
@ -482,11 +482,12 @@ def uninstall():
|
||||
print "ipa-client-install returned: " + str(e)
|
||||
|
||||
ntpinstance.NTPInstance(fstore).uninstall()
|
||||
if not dogtag.install_constants.SHARED_DB:
|
||||
if not dogtag_constants.SHARED_DB:
|
||||
cads_instance = cainstance.CADSInstance(
|
||||
dogtag_constants=dogtag_constants)
|
||||
if cads_instance.is_configured():
|
||||
cads_instance.uninstall()
|
||||
cainstance.stop_tracking_certificates(dogtag_constants)
|
||||
ca_instance = cainstance.CAInstance(
|
||||
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
|
||||
if ca_instance.is_configured():
|
||||
@ -534,7 +535,7 @@ def uninstall():
|
||||
|
||||
# Note that this name will be wrong after the first uninstall.
|
||||
dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
|
||||
dirs = [dirname, dogtag.configured_constants().ALIAS_DIR, certs.NSS_DIR]
|
||||
dirs = [dirname, dogtag_constants.ALIAS_DIR, certs.NSS_DIR]
|
||||
ids = certmonger.check_state(dirs)
|
||||
if ids:
|
||||
root_logger.error('Some certificates may still be tracked by certmonger.\nThis will cause re-installation to fail.\nStart the certmonger service and list the certificates being tracked\n # getcert list\nThese may be untracked by executing\n # getcert stop-tracking -i <request_id>\nfor each id in: %s' % ', '.join(ids))
|
||||
|
@ -437,25 +437,33 @@ class CADSInstance(service.Service):
|
||||
# At one time we removed this user on uninstall. That can potentially
|
||||
# orphan files, or worse, if another useradd runs in the intermim,
|
||||
# cause files to have a new owner.
|
||||
cmonger = ipaservices.knownservices.certmonger
|
||||
ipaservices.knownservices.messagebus.start()
|
||||
cmonger.start()
|
||||
|
||||
for nickname in ['Server-Cert cert-pki-ca',
|
||||
'auditSigningCert cert-pki-ca',
|
||||
'ocspSigningCert cert-pki-ca',
|
||||
'subsystemCert cert-pki-ca']:
|
||||
try:
|
||||
certmonger.stop_tracking(
|
||||
self.dogtag_constants.ALIAS_DIR, nickname=nickname)
|
||||
except (ipautil.CalledProcessError, RuntimeError), e:
|
||||
root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
|
||||
|
||||
def stop_tracking_certificates(dogtag_constants):
|
||||
"""Stop tracking our certificates. Called on uninstall.
|
||||
"""
|
||||
cmonger = ipaservices.knownservices.certmonger
|
||||
ipaservices.knownservices.messagebus.start()
|
||||
cmonger.start()
|
||||
|
||||
for nickname in ['Server-Cert cert-pki-ca',
|
||||
'auditSigningCert cert-pki-ca',
|
||||
'ocspSigningCert cert-pki-ca',
|
||||
'subsystemCert cert-pki-ca']:
|
||||
try:
|
||||
certmonger.stop_tracking('/etc/httpd/alias', nickname='ipaCert')
|
||||
certmonger.stop_tracking(
|
||||
dogtag_constants.ALIAS_DIR, nickname=nickname)
|
||||
except (ipautil.CalledProcessError, RuntimeError), e:
|
||||
root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e))
|
||||
cmonger.stop()
|
||||
root_logger.error(
|
||||
"certmonger failed to stop tracking certificate: %s" % str(e))
|
||||
|
||||
try:
|
||||
certmonger.stop_tracking('/etc/httpd/alias', nickname='ipaCert')
|
||||
except (ipautil.CalledProcessError, RuntimeError), e:
|
||||
root_logger.error(
|
||||
"certmonger failed to stop tracking certificate: %s" % str(e))
|
||||
cmonger.stop()
|
||||
|
||||
|
||||
class CAInstance(service.Service):
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user