After unininstall see if certmonger is still tracking any of our certs.

Rather than providing a list of nicknames I'm going to look at the NSS databases directly. Anything in there is suspect and this will help future-proof us. certmonger may be tracking other certificates but we only care about a subset of them, so don't complain if there are other tracked certificates. This reads the certmonger files directly so the service doesn't need to be started. https://fedorahosted.org/freeipa/ticket/2702
2025-02-25 18:55:28 -06:00 · 2012-10-23 16:31:37 -04:00
parent d180d3c101
commit 3d7ff982ec
2 changed files with 45 additions and 1 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -52,6 +52,7 @@ from ipaserver.install import sysupgrade

 from ipaserver.install import service, installutils
 from ipapython import version
+from ipapython import certmonger
 from ipaserver.install.installutils import *
 from ipaserver.plugins.ldap2 import ldap2

@@ -527,7 +528,14 @@ def uninstall():
            rv = 1

    if has_state:
-        root_logger.warning('Some installation state has not been restored.\nThis will cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.')
+        root_logger.error('Some installation state has not been restored.\nThis may cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.')
+
+    # Note that this name will be wrong after the first uninstall.
+    dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
+    dirs = [dirname, dogtag.configured_constants().ALIAS_DIR, certs.NSS_DIR]
+    ids = certmonger.check_state(dirs)
+    if ids:
+        root_logger.error('Some certificates may still be tracked by certmonger.\nThis will cause re-installation to fail.\nStart the certmonger service and list the certificates being tracked\n # getcert list\nThese may be untracked by executing\n # getcert stop-tracking -i <request_id>\nfor each id in: %s' % ', '.join(ids))

    return rv

--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -114,6 +114,27 @@ def get_request_id(criteria):

    return reqid

+def get_requests_for_dir(dir):
+    """
+    Return a list containing the request ids for a given NSS database
+    directory.
+    """
+    reqid=[]
+    fileList=os.listdir(REQUEST_DIR)
+    for file in fileList:
+        rv = find_request_value(os.path.join(REQUEST_DIR, file),
+                                'cert_storage_location')
+        if rv is None:
+            continue
+        rv = os.path.abspath(rv).rstrip()
+        if rv != dir:
+            continue
+        id = find_request_value(os.path.join(REQUEST_DIR, file), 'id')
+        if id is not None:
+            reqid.append(id.rstrip())
+
+    return reqid
+
 def add_request_value(request_id, directive, value):
    """
    Add a new directive to a certmonger request file.
@@ -393,6 +414,21 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):

    (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])

+def check_state(dirs):
+    """
+    Given a set of directories and nicknames verify that we are no longer
+    tracking certificates.
+
+    dirs is a list of directories to test for. We will return a tuple
+    of nicknames for any tracked certificates found.
+
+    This can only check for NSS-based certificates.
+    """
+    reqids = []
+    for dir in dirs:
+        reqids.extend(get_requests_for_dir(dir))
+
+    return reqids

 if __name__ == '__main__':
    request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM")