[Freeipa-devel] [PATCH] 694 fix external, normal CA install

Simo Sorce ssorce at redhat.com
Fri Jan 28 18:32:39 UTC 2011 

On Fri, 28 Jan 2011 10:09:18 -0500
Rob Crittenden <rcritten at redhat.com> wrote:

> Fix the "is the server configured" detection code to allow an
> external CA installation to proceed.
> 
> We cache the install values between the first and second stage of a
> CA installation. The install would fail in stage two if for some
> reason this cache file didn't exist, this should also be fixed.
> 
> Also add a small loop in the restart code to wait for the Java webapp
> to be available before proceeding. I also added another restart to
> ensure that nonces are disabled in the running server. We had a
> report where CS.cfg had nonces disabled but requests were failing
> with nonce failures, this additional restart resolved it.
> 
> I tested the following scenarios:
> 
> 1. Basic IPA install: ipa-server-install
> 2. External CA install: ipa-server-install --external-ca; 
> ipa-server-install --external_cert_file=/path/to/file 
> --external_ca_file=/path/to/file
> 3. External CA install with cache removal: ipa-server-instasll 
> --external-ca; rm /root/.ipa_cache; ipa-server-install 
> --external_cert_file=/path/to/file --external_ca_file=/path/to/file
> 4. Using just stage two of an external CA install which should fail: 
> ipa-server-install --external_cert_file=/path/to/file 
> --external_ca_file=/path/to/file
> 
> ticket 835

Mostly good but I have found a few issues with the approach.

1. ntpd got reinstalled, this probably wiped the original sysrestore
backups for it, installation of ntpd should be skipped in the seocnd
invocation.

2. .ipa_cache makes me *really* nervous and the fact you wipe it out
even on syntax errors when running the second step is fragile.

I suggest you encrypt the file with the DM password like we do for
replica files, and ask just for the DM password if the "external"
options are passed and the file is around.

If there is any error leave the file around (it's encrypted anyway)
Delete it only if the second step is successful.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list