URL: https://github.com/freeipa/freeipa/pull/4902 Author: frasertweedale Title: #4902: [Backport][ipa-4-6] certupdate: only add LWCA tracking requests on CA servers Action: opened
PR body: """ This PR was opened automatically because PR #4896 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4902/head:pr4902 git checkout pr4902
From a6e3aceeabbc0000ca403581edadc79fc254fb4c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 8 Jul 2020 12:43:02 +1000 Subject: [PATCH] certupdate: only add LWCA tracking requests on CA servers ipa-certupdate throws an exception when executed on a non-CA server in a CA-ful deployment with lightweight sub-CAs (LWCAs). Check that we are on a CA server before attempting to create Certmonger tracking requests for LWCAs. HOW TO TEST 1. Install first server (with CA) 2. Install replica without CA 3. Create sub-CA (`ipa ca-add`) 4. Run `ipa-certupdate` on replica. Observe that no stack trace is produced. Fixes: https://pagure.io/freeipa/issue/8399 --- ipaclient/install/ipa_certupdate.py | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index 1311dc62e8..0e8129c465 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -110,14 +110,19 @@ def run_with_args(api): server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files(): update_server(certs) - try: - # pylint: disable=import-error,ipa-forbidden-import - from ipaserver.install import cainstance - # pylint: enable=import-error,ipa-forbidden-import - cainstance.add_lightweight_ca_tracking_requests(lwcas) - except Exception: - logger.exception( - "Failed to add lightweight CA tracking requests") + + # pylint: disable=import-error,ipa-forbidden-import + from ipaserver.install import cainstance + # pylint: enable=import-error,ipa-forbidden-import + + # Add LWCA tracking requests. Only execute if *this server* + # has CA installed (ca_enabled indicates CA-ful topology). + if cainstance.CAInstance().is_configured(): + try: + cainstance.add_lightweight_ca_tracking_requests(lwcas) + except Exception: + logger.exception( + "Failed to add lightweight CA tracking requests") update_client(certs)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org