ipa-cert-fix: handle 'pki-server cert-fix' failure

When DS cert is expired, 'pki-server cert-fix' will fail at the final step (restart). When this case arises, ignore the CalledProcessError and continue. We can't know for sure if the error was due to failure of final restart, or something going wrong earlier. But if it was a more serious failure, the next step (installing the renewed IPA-specific certificates) will fail. Part of: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-05-27 09:55:06 +10:00
parent 7202722682
commit 582cc7da1d
1 changed files with 11 additions and 1 deletions
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -113,7 +113,17 @@ class IPACertFix(AdminTool):
            return 0
        print("Proceeding.")

-        run_cert_fix(certs, extra_certs)
+        try:
+            run_cert_fix(certs, extra_certs)
+        except ipautil.CalledProcessError:
+            if any(x[0] is IPACertType.LDAPS for x in extra_certs):
+                # The DS cert was expired.  This will cause
+                # 'pki-server cert-fix' to fail at the final
+                # restart.  Therefore ignore the CalledProcessError
+                # and proceed to installing the IPA-specific certs.
+                pass
+            else:
+                raise  # otherwise re-raise

        replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
        install_ipa_certs(subject_base, ca_subject_dn, extra_certs)