From 2068c7c472d3548962dfef76b26ac2ff19dec4dd Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 30 Nov 2020 10:02:50 -0500 Subject: [PATCH] Reorder when ACME is enabled to fix failure on upgrade On upgrading a server without ACME to one with ACME the RA Agent DN needs to be added as a member of the ACME Enterprise Users group. This was previously done as part of the creation of that entry. So on upgrade the RA Agent wouldn't be a member so ipa-acme-manage didn't have access to operate against the CA REST API. In order to add the RA Agent to this group during installation the ACME provisioning has to come after that step so it is moved from the middle of an installation to the end and the group addition moved into the setup_acme() method. https://pagure.io/freeipa/issue/8603 Signed-off-by: Rob Crittenden Reviewed-By: Christian Heimes Reviewed-By: Fraser Tweedale Reviewed-By: Mohammad Rizwan Yusuf --- ipaserver/install/cainstance.py | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1b7941a80..1a99b1164 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -429,7 +429,6 @@ class CAInstance(DogtagInstance): if promote: self.step("destroying installation admin user", self.teardown_admin) - self.step("deploying ACME service", self.setup_acme) # Materialize config changes and new ACLs self.step("starting certificate server instance", self.start_instance) @@ -474,6 +473,7 @@ class CAInstance(DogtagInstance): self.step("configuring certmonger renewal for lightweight CAs", self.add_lightweight_ca_tracking_requests) + self.step("deploying ACME service", self.setup_acme) if ra_only: runtime = None @@ -769,10 +769,6 @@ class CAInstance(DogtagInstance): self.basedn) conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') - group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'), - self.basedn) - conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') - def __get_ca_chain(self): try: return dogtag.get_ca_certchain(ca_host=self.fqdn) @@ -1504,6 +1500,17 @@ class CAInstance(DogtagInstance): else: password = result + # Add the IPA RA user as a member of the ACME admins for + # ipa-acme-manage. + user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn) + conn = api.Backend.ldap2 + group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'), + self.basedn) + try: + conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') + except errors.AlreadyGroupMember: + pass + # create container object heirarchy in LDAP ensure_acme_containers()