Commit Graph

14634 Commits

Author SHA1 Message Date
François Cami
87304c78a8 ipatests: fix nightly_latest_testing_selinux template
The TestInstallWithoutSudo entry referenced fedora-latest instead
of testing-fedora for its build dependency. Fix it.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-05 10:34:35 +01:00
Sudhir Menon
735355ad03 ipatests: Test to check sosreport collects healthcheck.log file
This test creates healthcheck.log file in /var/log/ipa/healthcheck/
directory if its not present and then checks that when sosreport command
is run it collects the healthcheck log file by checking the console log

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-03-05 08:45:18 +01:00
Sergey Orlov
881eea4efe
ipatests: do not configure nameserver when installing client and replica
When IPA master is installed without DNS, using it as nameserver creates
invalid configuration.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
4ad5ce7b58
ipatests: always try to create A records for hosts in IPA domain
Do not check that host is resolvable.
systemd-resolved creates synthetic records for hosts in /etc/hosts.
If test hosts are listed in /etc/hosts on controller, no A records will
be created.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
dc423661c8
ipatests: mock resolver factory
test_testconfig is using hardcoded hostnames which do not match ones
provided in real test config. This causes resolver factory to fail
when trying to detect resolver type of the host.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
1853695d22
ipatests: disable systemd-resolved cache
systemd-resolved enables positive and negative cache by default which
affects test scenarios where dns records are being created and deleted and
then verified using any tools that utilize default system resolver
(i.e. `dig` or `curl`).

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
01f455f424
ipatests: do not manually modify /etc/resolv.conf in tests
Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
cd066ba887
ipatests: setup resolvers during replica and client installations
Set IPA master as nameserver on replica and client machines during default
installation. This will help to avoid manual configuration in test cases
which require members of IPA domain to be resolvable.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
2e92d0836d
ipatests: add utility for managing domain name resolvers
Many test scenarios need to configure resolvers on test machines. Most
notable patterns are:

* using IPA master as DNS resolver on clients and replicas
* intentionally breaking name resolution

Now it is done by directly editing /etc/resolv.conf file. While being
simple this approach has following issues:

* NetworkManager restores this file periodically and on specific events
* This is not how users are expected to manage resolvers on modern
  systems with NetworkManager and systemd-resolved.

This patch introduces three classes for main types of resolvers management:
* plain file
* NetworkManager
* systemd-resolved

For each resolver manager the native way of configuring of nameserves is
used: direct editing for /etc/resolv.conf or drop-in config files for
NM and resolved.

The type of resolver is automatically detected for each host and an
appropriate instance is added to Host object.

The Resolver class (and it's subclasses) provide convenience functions
for changing nameservers and restoring the original config.
During all operations (backup, modify, restore) it checks that resolver
configuration has not been altered unexpectedly and raises exception if it
was. This helps to detect unexpected changes in resolvers.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
fe3c6657ec
ipatests: collect config files for NetworkManager and systemd-resolved
Those config files are valuable for debugging issues relate to DNS
resolvers.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Stanislav Levin
7972d28240 cleanup: Drop never used path for httpd's ccache
`HTTP_CCACHE` path was introduced in [0], but hasn't been set as
gssproxy's cred_store option(`ccache`) and nowhere is really
used besides the removing of this not existed path. It is safe to
drop all referencies for `HTTP_CCACHE`.

As of 0.8.0[1] gssproxy uses `MEMORY` credentials type for cred_store
as default.

[0]: d2f5fc304f
[1]: 0e1b4a0c84

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-04 14:17:01 +02:00
Stanislav Levin
271fd162a7 ccache_sweeper: Add gssproxy service
The usage of the existing gssproxy service(`service/ipa-api`) leads
to undesirable for this case side effects such as auto renew of
expired credentials.

Fixes: https://pagure.io/freeipa/issue/8735
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-04 14:17:01 +02:00
François Cami
216720af83 ipa-csreplica-manage, ipa-replica-manage: refactor
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-02 11:48:59 +01:00
François Cami
82e32433ed ipalib/util.py: add print_replication_status
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-02 11:48:59 +01:00
François Cami
bc3906f9aa ipa-replica-manage: handle missing attributes
If nsds5replicalastupdateend is not yet present,
ipa-replica-manage will backtrace as it tries to retrieve that
attribute unconditionally.
Gracefully handle that situation.

Fixes: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-02 11:48:59 +01:00
François Cami
4b2c50ae62 ipa-replica-manage: always display nsds5replicalastinitstatus
If nsds5replicalastinitstatus is none, the status is not displayed.
Always displaying the last init status is more useful to the end-user.

Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-02 11:48:59 +01:00
Florence Blanc-Renaud
5cd3944bb2 ipatests: use whole date when calling journalctl --since
The test test_commands.py::TestIPACommand::test_ssh_key_connection
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.

The fix provides a complete date with year-month-day hours:min:sec.

Fixes: https://pagure.io/freeipa/issue/8728
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-03-02 11:47:09 +01:00
Alexander Bokovoy
3fc75b15fa ipa-kdb: mark test functions as static
No need to define missing prototypes to single use test functions.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Alexander Bokovoy
3037de2820 ipa-kdb: reformat ipa_kdb_certauth
Add prototype to the exported function

Replace few tabs by spaces and mark static code as static.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Alexander Bokovoy
f996c21edb ipa-kdb: add missing prototypes
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
about function prototypes missing. If -Werror is specified, this breaks
compilation.

We also default to -Werror=implicit-function-declaration

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Alexander Bokovoy
1d2a14a2d2 ipa-kdb: fix compiler warnings
There are few fields in KDB structures that have 'conflicting' types but
need to be compared. They come from MIT Kerberos and we have no choice
here.

In the same way, SID structures have own requirements.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Alexander Bokovoy
47d49aa7b7 ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
Calling to ipadb_get_connection() will remove LDAP context if any error
happens. This means upper layers must always verify that LDAP context
exists after such calls.

ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.

Fixes: https://pagure.io/freeipa/issue/8681

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-01 10:44:25 -05:00
Sergey Orlov
0b60408dab
ipatests: test Samba mount with NTLM authentication
Related to https://pagure.io/freeipa/issue/8636

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-01 12:55:58 +01:00
Fraser Tweedale
8c2c6f8253 ipa-cert-fix: improve handling of 'pki-server cert-fix' failure
'pki-server cert-fix' has a known and expected failure when the DS
certificate is expired.  'ipa-cert-fix' handles this by
optimistically ignoring the CalledProcessError and continuing when
the DS certificate was up for renewal.

This heuristic is a bit too optimistic.  If 'pki-server cert-fix'
fails due and returns nonzero due to some other, more serious error
(as has been seen in the wild[1]), 'ipa-cert-fix' continues then
fails later with a more confusing error, for example:

    [Errno 2] No such file or directory:
      '/etc/pki/pki-tomcat/certs/27-renewed.crt'

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586

Improve the heuristic by also checking whether output files
corresponding ot all of the "extra" certificate that we asked
'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates.

Fixes: https://pagure.io/freeipa/issue/8721
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-03-01 11:23:35 +11:00
Antonio Torres
4fc1e15c7c ipatests: check that zonemgr is set correctly during server install
Add test to check that zonemgr is correctly
set when installing IPA server.

Related: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-25 20:24:55 +01:00
Antonio Torres
04e57e6fd4 ipaserver: don't ignore zonemgr option on install
Fix zonemgr option in ipaserver install being
ignored because of an incorrect condition.

Fixes: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-25 20:24:55 +01:00
Florence Blanc-Renaud
f3cd85ea81 freeipa.spec: bump the required version of 389ds
In order to get the fix for sync_repl, the following versions
are required:
on fedora32: 1.4.3.19-1
on fedora33 and above: 1.4.4.12-1
on rhel 8.4: 1.4.3.16-11

Note: the fix is not available yet on fedora32 as the build has
been marked as obsolete due to a pkispawn regression
(https://github.com/dogtagpki/pki/issues/3458).
The version will need to be updated in a later commit.

Fixes: https://pagure.io/freeipa/issue/8496
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-02-25 14:42:01 +01:00
Troy Dawson
d11acaf4d3 platform-python only on RHEL8
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-23 11:54:30 -05:00
Mohammad Rizwan
1197e2ef85 ipatests: update nightly definition for ipa_cert_fix suite
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-02-23 13:25:26 +01:00
Mohammad Rizwan
0904bb2387 ipatests: Test if ipa-cert-fix renews expired certs with kra installed
This test check if ipa-cert-fix renews certs with kra
certificate installed.

related: https://pagure.io/freeipa/issue/7885

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-02-23 13:25:26 +01:00
Mohammad Rizwan
f7ef6d5ab7 Move fixture outside the class and add setup_kra capability
Moved fixture to use across multiple classes. Added capability
to install the KRA to the fixture

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-02-23 13:25:26 +01:00
Mohammad Rizwan
f49c7dafc4 ipatests: Test if ipa-cert-fix renews expired certs
Test moves system date to expire certs. Then calls ipa-cert-fix
to renew them. This certs include subsystem, audit-signing,
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.

related: https://pagure.io/freeipa/issue/7885

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-02-23 13:25:26 +01:00
Florence Blanc-Renaud
178dec8fc3 pylint: fix inconsistent-return-statements
pylint 2.7.0 now emits inconsistent-return-statements if one of
try/except statement is not returning explicitly while the other do.

Fixes: https://pagure.io/freeipa/issue/8720
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-22 16:18:11 -05:00
Sergey Orlov
4d87982b07
ipatests: skip tests for AD trust with shared secret in FIPS mode
Related to https://pagure.io/freeipa/issue/8715

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-19 13:31:28 +01:00
Rob Crittenden
c0e63429b3 Don't double-report any errors from pki-spawn failures
The output from pki-spawn is already displayed to the user
as well as a short traceback so re-displaying the CalledProcess
error provides no value and only provokes confusion,
particularly because it is condensed and includes embedded
newlines.

Re-raise the exception from None so that the traceback is
removed and while there is still an immense traceback from
the admintool class it is significantly shorter than before
and removes:

"During handling of the above exception, another exception occurred"

The handling is in fact expected.

This changes the user-facing installer output from:

  [1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpr5x2l0gm', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldap://ipa.example.test:389\nINFO: Connecting to LDAP server at ldap://ipa.example.test:389\nDEBUG: Installing Maven dependencies: False\nERROR: KeyError: \'CA\'\n  File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main\n    raise KeyError(\'CA\')\n\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

to

  [1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The output is similarly reduced in the installer log. There is no
reason to acknowledge that a CalledProcessError was raised since
the output is already available and it's just an intermediary.

Hopefully this will encourage users to focus on the logs rather than
the malformed traceback.

https://pagure.io/freeipa/issue/8565

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:52:05 +01:00
Rob Crittenden
ea58c75730 Suppress error message if the CRL directory doesn't exist
If the CA fails to deploy then the CRL directory will not exist
but will report an error that it has failed to be removed.
There is no need to try to navigate a directory if it doesn't exist.

Related: https://pagure.io/freeipa/issue/8565

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:52:05 +01:00
Kaleemullah Siddiqui
5e49910bcf ipatests: error message check in uninstall log for KRA
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.

related: https://pagure.io/freeipa/issue/8550

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-18 16:44:29 +01:00
Rob Crittenden
ab13cf52f2 Remove a remaining file used with csrgen
This file was missed in the first pass to remove support for
csrgen.

This was never feature complete and currently has issues and
we lack the resources to maintain it.

Drop it for now. It can be revived from git history in the
future if we see the need.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-02-18 16:43:04 +01:00
Rob Crittenden
dea2b8af9c Don't renew non-IPA issued certs in ipa-cert-fix
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.

Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).

https://pagure.io/freeipa/issue/8600

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Rob Crittenden
146db28e50 Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Rob Crittenden
be4195cfaf ipatests: test third-party 389-ds cert with ipa-cert-fix
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.

https://pagure.io/freeipa/issue/8600

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Rob Crittenden
7cfd44d395 ipa-cert-fix: Don't hardcode the NSS certificate nickname
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.

Instead pull the nickname from the DS configuration and
retrieve it based on that.

https://pagure.io/freeipa/issue/8600

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Alexander Bokovoy
f2f8d46c7f po: update translations template
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 20:33:38 +02:00
Rob Crittenden
71047f68b5 Remove the option stop_certmonger from stop_tracking_*
This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.

https://pagure.io/freeipa/issue/8506
https://pagure.io/freeipa/issue/8533

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 17:13:53 +02:00
Florence Blanc-Renaud
137b39cf93 ipatests: update expected error message
With commit ec6698f , the error message has changed from
  Unable to communicate with CMS (503)
to
  Request failed with status 503: Non-2xx response from CA REST API: 503.  (503)

Related: https://pagure.io/freeipa/issue/8704
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 15:22:19 +02:00
Thorsten Scherf
84f52ea8fc man: fix ipa-client-samba.1 typos
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 10:04:55 +02:00
Armando Neto
7d691f07d6 ipatests: Update PR-CI templates
Update "previous" and "latest" templates with updated dependencies.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 10:04:23 +02:00
Antonio Torres
89135830cc ipatests: test addition of invalid sudo command
Check that sudocmd-add fails when trying to add
a command containing a trailing dot.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:59:41 +02:00
Antonio Torres
d6c5a92609 sudocmd: ensure command doesn't contain trailing dot before adding it
Trailing dots aren't permitted in sudo commands, as
enforced explicitly in `get_dn`. Performing this check
before adding the command prevents the user from
entering invalid commands, which would otherwise trigger
errors when accessing them afterwards.

RN: ipa sudocmd-* commands now validate SUDO command name to not end with a dot.
RN: Previously a trailing dot was stripped away in when addressing a SUDO command's LDAP object.
RN: As a result, a SUDO command was created but it was not possible to refer to it in other IPA commands.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1925410
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:59:41 +02:00
Rob Crittenden
3d2d06719f Add some logging around initial ACME deployment
From the upgrade log it was not possible to see the current
state of ACME which makes troubleshooting difficult.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

Related: https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-02-15 09:57:07 +02:00