import ipa-4.9.2-4.module+el8.4.0+11156+94d209c1

SOURCES/0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch

@@ -0,0 +1,54 @@
+From 1aa3f7a7fd24c651aafde150351328148fd517be Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 6 May 2021 14:10:44 -0400
+Subject: [PATCH] Only attempt to upgrade ACME configuration files if deployed
+
+This can happen on upgrades from older deployments that lack
+an ACME installation and don't meet the minimum requirements
+to deploy one automatically.
+
+Also don't consider missing ACME schema a total failure, just
+log and skip it.
+
+https://pagure.io/freeipa/issue/8832
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/install/server/upgrade.py | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index e60524084..75bf26b8e 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1122,7 +1122,8 @@ def ca_upgrade_schema(ca):
+             acme_schema_ldif = path
+             break
+     else:
+-        raise RuntimeError('ACME schema file not found')
++        logger.info('ACME schema is not available')
++        return False
+ 
+     schema_files=[
+         '/usr/share/pki/server/conf/schema-certProfile.ldif',
+@@ -1530,6 +1531,16 @@ def ca_update_acme_configuration(ca, fqdn):
+     """
+     Re-apply the templates in case anyting has been updated.
+     """
++    logger.info('[Updating ACME configuration]')
++    if not os.path.isdir(os.path.join(paths.PKI_TOMCAT, 'acme')):
++        logger.info('ACME is not deployed, skipping')
++        return
++
++    if not os.path.exists(paths.PKI_ACME_ISSUER_CONF):
++        logger.info('ACME configuration file %s is missing',
++                    paths.PKI_ACME_ISSUER_CONF)
++        return
++
+     password = directivesetter.get_directive(
+         paths.PKI_ACME_ISSUER_CONF,
+         'password',
+-- 
+2.31.1
+

SPECS/ipa.spec

@@ -128,7 +128,7 @@
 %if 0%{?rhel} == 8
 # PKIConnection has been modified to always validate certs.
 # https://pagure.io/freeipa/issue/8379
-%global pki_version 10.9.0-0.4
+%global pki_version 10.10.5-2
 %else
 # New KRA profile, ACME support
 # https://pagure.io/freeipa/issue/8545
@@ -176,7 +176,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        3%{?rc_version:.%rc_version}%{?dist}
+Release:        4%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -206,6 +206,7 @@ Patch0007:      0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
 Patch0008:      0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
 Patch0009:      0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
 Patch0010:      0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
+Patch0011:      0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1680,6 +1681,10 @@ fi
 
 
 %changelog
+* Wed May 26 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-4
+- Only attempt to upgrade ACME configuration files if deployed
+  Resolves: RHBZ#1959984
+
 * Fri Mar 19 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-3
 - ipa-client-install displays false message
   'sudo binary does not seem to be present on this system'