From aca3dbcb4804367bb4a7e9d1483138ffeca0aa89 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 29 Jun 2021 10:02:42 -0400 Subject: [PATCH] import ipa-4.9.2-4.module+el8.4.0+11156+94d209c1 --- ...configuration-files-if-_rhbz#1959984.patch | 54 +++++++++++++++++++ SPECS/ipa.spec | 9 +++- 2 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch diff --git a/SOURCES/0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch b/SOURCES/0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch new file mode 100644 index 0000000..443b192 --- /dev/null +++ b/SOURCES/0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch @@ -0,0 +1,54 @@ +From 1aa3f7a7fd24c651aafde150351328148fd517be Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 6 May 2021 14:10:44 -0400 +Subject: [PATCH] Only attempt to upgrade ACME configuration files if deployed + +This can happen on upgrades from older deployments that lack +an ACME installation and don't meet the minimum requirements +to deploy one automatically. + +Also don't consider missing ACME schema a total failure, just +log and skip it. + +https://pagure.io/freeipa/issue/8832 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/server/upgrade.py | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index e60524084..75bf26b8e 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1122,7 +1122,8 @@ def ca_upgrade_schema(ca): + acme_schema_ldif = path + break + else: +- raise RuntimeError('ACME schema file not found') ++ logger.info('ACME schema is not available') ++ return False + + schema_files=[ + '/usr/share/pki/server/conf/schema-certProfile.ldif', +@@ -1530,6 +1531,16 @@ def ca_update_acme_configuration(ca, fqdn): + """ + Re-apply the templates in case anyting has been updated. + """ ++ logger.info('[Updating ACME configuration]') ++ if not os.path.isdir(os.path.join(paths.PKI_TOMCAT, 'acme')): ++ logger.info('ACME is not deployed, skipping') ++ return ++ ++ if not os.path.exists(paths.PKI_ACME_ISSUER_CONF): ++ logger.info('ACME configuration file %s is missing', ++ paths.PKI_ACME_ISSUER_CONF) ++ return ++ + password = directivesetter.get_directive( + paths.PKI_ACME_ISSUER_CONF, + 'password', +-- +2.31.1 + diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 99de2e5..ddba39f 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -128,7 +128,7 @@ %if 0%{?rhel} == 8 # PKIConnection has been modified to always validate certs. # https://pagure.io/freeipa/issue/8379 -%global pki_version 10.9.0-0.4 +%global pki_version 10.10.5-2 %else # New KRA profile, ACME support # https://pagure.io/freeipa/issue/8545 @@ -176,7 +176,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?rc_version:.%rc_version}%{?dist} +Release: 4%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -206,6 +206,7 @@ Patch0007: 0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch Patch0008: 0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch Patch0009: 0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch Patch0010: 0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch +Patch0011: 0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1680,6 +1681,10 @@ fi %changelog +* Wed May 26 2021 Thomas Woerner - 4.9.2-4 +- Only attempt to upgrade ACME configuration files if deployed + Resolves: RHBZ#1959984 + * Fri Mar 19 2021 Thomas Woerner - 4.9.2-3 - ipa-client-install displays false message 'sudo binary does not seem to be present on this system'