IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure

Browse Source 
In the migration case of replica installation, if the CA server is
an older version it may not support the ipa-ca.$DOMAIN dnsName in
the HTTP cert (it is a special case in the cert_request command).
Therefore if the request fails, try it again without the
ipa-ca.$DOMAIN dnsName.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
This commit is contained in:
Fraser Tweedale
2020-06-09 16:06:42 +10:00
parent 451cbae160
commit 9d9012f682
2 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
ipaserver/install/httpinstance.py
View File

@@ -375,7 +375,11 @@ class HTTPInstance(service.Service):
else:
prev_helper = None
try:
certmonger.request_and_wait_for_cert(
# In migration case, if CA server is older version it may not
# have codepaths to support the ipa-ca.$DOMAIN dnsName in HTTP
# cert. Therefore if request fails, try again without the
# ipa-ca.$DOMAIN dnsName.
args = dict(
certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
principal=self.principal,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
@@ -385,8 +389,15 @@ class HTTPInstance(service.Service):
post_command='restart_httpd',
storage='FILE',
passwd_fname=key_passwd_file,
resubmit_timeout=api.env.certmonger_wait_timeout
resubmit_timeout=api.env.certmonger_wait_timeout,
stop_tracking_on_error=True,
)
try:
certmonger.request_and_wait_for_cert(**args)
except Exception as e:
args['dns'] = [self.fqdn] # remove ipa-ca.$DOMAIN
args['stop_tracking_on_error'] = False
certmonger.request_and_wait_for_cert(**args)
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)