Fix CA CRL migration crash in ipa-upgradeconfig

CRL migrate procedure did not check if a CA was actually configured
on an updated master/replica. This caused ipa-upgradeconfig to
crash on replicas without a CA.

Make sure that CRL migrate procedure is not run when CA is not
configured on given master. Also add few try..except clauses to
make the procedure more robust. There is also a small refactoring of
"<service> is not configured" log messages, so that they have matching
log level and message.

dogtag.py constants were updated to have a correct path to new CRL
directory on Fedora 18 (dogtag 10).

https://fedorahosted.org/freeipa/ticket/3159

install/tools/ipa-upgradeconfig

@@ -204,7 +204,7 @@ def check_certs():
     else:
         root_logger.debug('Certificate file exists')
 
-def upgrade_pki(fstore):
+def upgrade_pki(ca, fstore):
     """
     Update/add the dogtag proxy configuration. The IPA side of this is
     handled in ipa-pki-proxy.conf.
@@ -213,8 +213,8 @@ def upgrade_pki(fstore):
     """
     configured_constants = dogtag.configured_constants()
     root_logger.info('[Verifying that CA proxy configuration is correct]')
-    if not os.path.exists(configured_constants.CS_CFG_PATH):
+    if not ca.is_configured():
-        root_logger.debug('No CA detected in /etc/pki-ca')
+        root_logger.info('CA is not configured')
         return
 
     http = httpinstance.HTTPInstance(fstore)
@@ -300,7 +300,7 @@ def upgrade_ipa_profile(ca):
         if audit or ski:
             return True
     else:
-        root_logger.debug('CA is not configured')
+        root_logger.info('CA is not configured')
 
     return False
 
@@ -329,7 +329,7 @@ def named_enable_psearch():
 
     if not bindinstance.named_conf_exists():
         # DNS service may not be configured
-        root_logger.debug('DNS not configured')
+        root_logger.info('DNS is not configured')
         return
 
     try:
@@ -401,7 +401,7 @@ def named_enable_serial_autoincrement():
 
     if not bindinstance.named_conf_exists():
         # DNS service may not be configured
-        root_logger.debug('DNS not configured')
+        root_logger.info('DNS is not configured')
         return changed
 
     try:
@@ -448,8 +448,9 @@ def enable_certificate_renewal(ca):
 
     Returns True when CA needs to be restarted
     """
+    root_logger.info('[Enable certificate renewal]')
     if not ca.is_configured():
-        root_logger.debug('dogtag not configured')
+        root_logger.info('CA is not configured')
         return False
 
     # Using the nickname find the certmonger request_id
@@ -508,11 +509,20 @@ def migrate_crl_publish_dir(ca):
         root_logger.info('CRL tree already moved')
         return False
 
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
     caconfig = dogtag.configured_constants()
 
-    old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH,
+    try:
-        'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+        old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH,
-        separator='=')
+            'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+            separator='=')
+    except OSError, e:
+        root_logger.error('Cannot read CA configuration file "%s": %s',
+                caconfig.CS_CFG_PATH, e)
+        return False
 
     if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
         # publish dir is already updated
@@ -536,9 +546,14 @@ def migrate_crl_publish_dir(ca):
             except Exception, e:
                 root_logger.error('Cannot move CRL file to new directory: %s', e)
 
-    installutils.set_directive(caconfig.CS_CFG_PATH,
+    try:
-        'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+        installutils.set_directive(caconfig.CS_CFG_PATH,
-        publishdir, quotes=False, separator='=')
+            'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+            publishdir, quotes=False, separator='=')
+    except OSError, e:
+        root_logger.error('Cannot update CA configuration file "%s": %s',
+                caconfig.CS_CFG_PATH, e)
+        return False
     sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
     root_logger.info('CRL publish directory has been migrated, '
                      'request pki-ca restart')
@@ -595,7 +610,7 @@ def main():
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
-    upgrade_pki(fstore)
+    upgrade_pki(ca, fstore)
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
 

ipapython/dogtag.py

@@ -54,7 +54,7 @@ class Dogtag10Constants(object):
     SERVER_ROOT = '/var/lib/pki'
     PKI_INSTANCE_NAME = 'pki-tomcat'
     PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
-    CRL_PUBLISH_PATH = '%s/ipa/pki-ca/publish' % SERVER_ROOT
+    CRL_PUBLISH_PATH = '/var/lib/ipa/pki-ca/publish'
     CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
     PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
     SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
@@ -78,7 +78,7 @@ class Dogtag9Constants(object):
     SERVER_ROOT = '/var/lib'
     PKI_INSTANCE_NAME = 'pki-ca'
     PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
-    CRL_PUBLISH_PATH = '%s/ipa/pki-ca/publish' % SERVER_ROOT
+    CRL_PUBLISH_PATH = '/var/lib/ipa/pki-ca/publish'
     CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
     PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
     SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT