54 lines
2.2 KiB
Diff
54 lines
2.2 KiB
Diff
|
From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Mon, 30 Aug 2021 16:44:47 -0400
|
||
|
Subject: [PATCH] Catch and log errors when adding CA profiles
|
||
|
|
||
|
Rather than stopping the installer entirely, catch and report
|
||
|
errors adding new certificate profiles, and remove the
|
||
|
broken profile entry from LDAP so it may be re-added later.
|
||
|
|
||
|
It was discovered that installing a newer IPA that has the
|
||
|
ACME profile which requires sanToCNDefault will fail when
|
||
|
installing a new server against a very old one that lacks
|
||
|
this class.
|
||
|
|
||
|
Running ipa-server-upgrade post-install will add the profile
|
||
|
and generate the missing ipa-ca SAN record so that ACME
|
||
|
can work.
|
||
|
|
||
|
https://pagure.io/freeipa/issue/8974
|
||
|
|
||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||
|
---
|
||
|
ipaserver/install/cainstance.py | 13 +++++++++++--
|
||
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
||
|
index 9e842b33e..8c8bf1b3a 100644
|
||
|
--- a/ipaserver/install/cainstance.py
|
||
|
+++ b/ipaserver/install/cainstance.py
|
||
|
@@ -1973,8 +1973,17 @@ def import_included_profiles():
|
||
|
|
||
|
# Create the profile, replacing any existing profile of same name
|
||
|
profile_data = __get_profile_config(profile_id)
|
||
|
- _create_dogtag_profile(profile_id, profile_data, overwrite=True)
|
||
|
- logger.debug("Imported profile '%s'", profile_id)
|
||
|
+ try:
|
||
|
+ _create_dogtag_profile(profile_id, profile_data,
|
||
|
+ overwrite=True)
|
||
|
+ except errors.HTTPRequestError as e:
|
||
|
+ logger.warning("Failed to import profile '%s': %s. Running "
|
||
|
+ "ipa-server-upgrade when installation is "
|
||
|
+ "completed may resolve this issue.",
|
||
|
+ profile_id, e)
|
||
|
+ conn.delete_entry(entry)
|
||
|
+ else:
|
||
|
+ logger.debug("Imported profile '%s'", profile_id)
|
||
|
else:
|
||
|
logger.debug(
|
||
|
"Profile '%s' is already in LDAP; skipping", profile_id
|
||
|
--
|
||
|
2.31.1
|
||
|
|