From 43222cb85513d70363e721afb3dd43e0a939c7d9 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 27 Jan 2021 12:28:13 -0500 Subject: [PATCH] Ignore database errors when trying to extract ipaCert on upgrade If NSSDatabase() throws a ValueError it means we can't open it to look for an existing ipaCert to migrate. Chances are there is no certificate to migrate at this point in Fedora so don't let it blow up the entire installation/upgrade. Warn the user and let them figure it out. We have no real path forward on this and by proceeding it could lead to more errors (like no RA) but it is extremely unlikely and would require a user to upgrade from very old Fedora to very new Fedora in one step. https://pagure.io/freeipa/issue/8675 Signed-off-by: Rob Crittenden Reviewed-By: Christian Heimes Reviewed-By: Stanislav Levin --- ipaserver/install/plugins/update_ra_cert_store.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py index 6f01ec0d5..620f2e2dd 100644 --- a/ipaserver/install/plugins/update_ra_cert_store.py +++ b/ipaserver/install/plugins/update_ra_cert_store.py @@ -33,7 +33,14 @@ class update_ra_cert_store(Updater): if not ca_enabled: return False, [] - certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR) + try: + certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR) + except ValueError as e: + logger.warning("Problem opening NSS database in " + "%s. Skipping check for existing RA " + "agent certificate: %s", paths.HTTPD_ALIAS_DIR, e) + return False, [] + if not certdb.has_nickname(ra_nick): # Nothign to do return False, []