server upgrade: fix upgrade from pre-4.0

update_ca_renewal_master uses ipaCert certmonger tracking information to decide whether the local server is the CA renewal master or not. The information is lost when migrating from /etc/httpd/alias to /var/lib/ipa/radb in update_ra_cert_store. Make sure update_ra_cert_store is executed after update_ca_renewal_master so that correct information is used. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-02-16 11:13:13 +01:00
parent ba8a10fbdb
commit 97e838e10d
3 changed files with 3 additions and 2 deletions
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -74,7 +74,7 @@ class update_ca_renewal_master(Updater):
                return False, []

        criteria = {
-            'cert-database': paths.IPA_RADB_DIR,
+            'cert-database': paths.HTTPD_ALIAS_DIR,
            'cert-nickname': 'ipaCert',
        }
        request_id = certmonger.get_request_id(criteria)