Reorder when ACME is enabled to fix failure on upgrade

On upgrading a server without ACME to one with ACME the RA Agent DN needs to be added as a member of the ACME Enterprise Users group. This was previously done as part of the creation of that entry. So on upgrade the RA Agent wouldn't be a member so ipa-acme-manage didn't have access to operate against the CA REST API. In order to add the RA Agent to this group during installation the ACME provisioning has to come after that step so it is moved from the middle of an installation to the end and the group addition moved into the setup_acme() method. https://pagure.io/freeipa/issue/8603 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-11-30 10:02:50 -05:00 · 2020-11-30 10:02:50 -05:00 · 2068c7c472
commit 2068c7c472
parent 81c97bb992
1 changed files with 12 additions and 5 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -429,7 +429,6 @@ class CAInstance(DogtagInstance):
            if promote:
                self.step("destroying installation admin user",
                          self.teardown_admin)
-            self.step("deploying ACME service", self.setup_acme)
            # Materialize config changes and new ACLs
            self.step("starting certificate server instance",
                      self.start_instance)
@ -474,6 +473,7 @@ class CAInstance(DogtagInstance):

                self.step("configuring certmonger renewal for lightweight CAs",
                          self.add_lightweight_ca_tracking_requests)
+                self.step("deploying ACME service", self.setup_acme)

        if ra_only:
            runtime = None
@ -769,10 +769,6 @@ class CAInstance(DogtagInstance):
            self.basedn)
        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')

-        group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
-                      self.basedn)
-        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
-
    def __get_ca_chain(self):
        try:
            return dogtag.get_ca_certchain(ca_host=self.fqdn)
@ -1504,6 +1500,17 @@ class CAInstance(DogtagInstance):
        else:
            password = result

+        # Add the IPA RA user as a member of the ACME admins for
+        # ipa-acme-manage.
+        user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+        conn = api.Backend.ldap2
+        group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
+                      self.basedn)
+        try:
+            conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
+        except errors.AlreadyGroupMember:
+            pass
+
        # create container object heirarchy in LDAP
        ensure_acme_containers()