Backup CS.cfg before modifying it

https://fedorahosted.org/freeipa/ticket/4166 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-09-03 15:04:35 +02:00 · 2014-09-03 15:04:35 +02:00 · 8292b228b8
commit 8292b228b8
parent b5870edb40
2 changed files with 22 additions and 0 deletions
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@ -1080,6 +1080,7 @@ def main():
        sub_dict['SUBJECT_BASE'] = subject_base

    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    ca.backup_config()

    # migrate CRL publish dir before the location in ipa.conf is updated
    ca_restart = migrate_crl_publish_dir(ca)
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -449,6 +449,7 @@ class CAInstance(service.Service):
                self.step("creating pki-ca instance", self.create_instance)
            self.step("configuring certificate server instance", self.__configure_instance)
        self.step("stopping certificate server instance to update CS.cfg", self.__stop)
+        self.step("backing up CS.cfg", self.backup_config)
        self.step("disabling nonces", self.__disable_nonce)
        self.step("set up CRL publishing", self.__enable_crl_publish)
        self.step("starting certificate server instance", self.__start)
@ -811,6 +812,12 @@ class CAInstance(service.Service):
            root_logger.debug(traceback.format_exc())
            root_logger.critical("Failed to restart the certificate server. See the installation log for details.")

+    def backup_config(self):
+        try:
+            backup_config(self.dogtag_constants)
+        except Exception, e:
+            root_logger.warning("Failed to backup CS.cfg: %s", e)
+
    def __disable_nonce(self):
        # Turn off Nonces
        update_result = installutils.update_file(
@ -1803,6 +1810,16 @@ def install_replica_ca(config, postinstall=False):

    return ca

+def backup_config(dogtag_constants=None):
+    """
+    Create a backup copy of CS.cfg
+    """
+    if dogtag_constants is None:
+        dogtag_constants = dogtag.configured_constants()
+
+    shutil.copy(dogtag_constants.CS_CFG_PATH,
+                dogtag_constants.CS_CFG_PATH + '.ipabkp')
+
 def update_cert_config(nickname, cert, dogtag_constants=None):
    """
    When renewing a CA subsystem certificate the configuration file
@ -1824,6 +1841,10 @@ def update_cert_config(nickname, cert, dogtag_constants=None):

    with stopped_service(dogtag_constants.SERVICE_NAME,
                         instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+        try:
+            backup_config(dogtag_constants)
+        except Exception, e:
+            syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)

        installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
                                    directives[nickname],