[Freeipa-devel] [PATCH 1/1] After unininstall see if certmonger is still tracking any of our certs.
rcritten at redhat.com
rcritten at redhat.com
Tue Oct 23 20:39:19 UTC 2012
From: Rob Crittenden <rcritten at redhat.com>
Rather than providing a list of nicknames I'm going to look at the NSS
databases directly. Anything in there is suspect and this will help
future-proof us.
certmonger may be tracking other certificates but we only care about
a subset of them, so don't complain if there are other tracked certificates.
This reads the certmonger files directly so the service doesn't need
to be started.
https://fedorahosted.org/freeipa/ticket/2702
---
install/tools/ipa-server-install | 10 +++++++++-
ipapython/certmonger.py | 33 +++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cc25fb85500b6a97e71c822a882cf6f2aca4f0a0..3b03357185b6f8ff3a13db163a716ce79e7e5bfe 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -52,6 +52,7 @@ from ipaserver.install import sysupgrade
from ipaserver.install import service, installutils
from ipapython import version
+from ipapython import certmonger
from ipaserver.install.installutils import *
from ipaserver.plugins.ldap2 import ldap2
@@ -527,7 +528,14 @@ def uninstall():
rv = 1
if has_state:
- root_logger.warning('Some installation state has not been restored.\nThis will cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.')
+ root_logger.error('Some installation state has not been restored.\nThis may cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.')
+
+ # Note that this name will be wrong after the first uninstall.
+ dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
+ dirs = [dirname, dogtag.configured_constants().ALIAS_DIR, certs.NSS_DIR]
+ ids = certmonger.check_state(dirs)
+ if ids:
+ root_logger.error('Some certificates may still be tracked by certmonger.\nThis will cause re-installation to fail.\nStart the certmonger service and list the certificates being tracked\n # getcert list\nThese may be untracked by executing\n # getcert stop-tracking -i <request_id>\nfor each id in: %s' % ', '.join(ids))
return rv
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 9cc4466c61108a863eb76b1ff67bef559a9228d0..f823a6deccbae8dcabc23867bbe90b56fbbb390a 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -114,6 +114,24 @@ def get_request_id(criteria):
return reqid
+def get_requests_for_dir(dir):
+ """
+ Return a list containing the request ids for a given NSS database
+ directory.
+ """
+ reqid=[]
+ fileList=os.listdir(REQUEST_DIR)
+ for file in fileList:
+ rv = find_request_value('%s/%s' % (REQUEST_DIR, file),
+ 'cert_storage_location')
+ if rv:
+ rv = os.path.abspath(rv)
+ if rv.rstrip() == dir:
+ reqid.append(find_request_value('%s/%s' % (REQUEST_DIR, file), 'id').rstrip())
+
+ return reqid
+
+
def add_request_value(request_id, directive, value):
"""
Add a new directive to a certmonger request file.
@@ -393,6 +411,21 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
(stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])
+def check_state(dirs):
+ """
+ Given a set of directories and nicknames verify that we are no longer
+ tracking certificates.
+
+ dirs is a list of directories to test for. We will return a tuple
+ of nicknames for any tracked certificates found.
+
+ This can only check for NSS-based certificates.
+ """
+ reqids = []
+ for dir in dirs:
+ reqids.extend(get_requests_for_dir(dir))
+
+ return reqids
if __name__ == '__main__':
request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com at EXAMPLE.COM")
--
1.7.11.4
More information about the Freeipa-devel
mailing list