[Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade

Martin Basti mbasti at redhat.com
Thu Dec 11 09:01:35 UTC 2014 

On 10/12/14 19:21, Jan Cholasta wrote:
> Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a):
>> Dne 1.12.2014 v 16:48 Martin Basti napsal(a):
>>> On 01/12/14 08:46, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> Dne 27.11.2014 v 14:24 Martin Basti napsal(a):
>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4676
>>>>> Replaces current workaround. Should go to 4.1.3.
>>>>> Patch attached.
>>>>
>>>> When constructing URLs with host:port, please use
>>>> ipautil.format_netloc().
>>>>
>>>> wget should be added as a dependency of freeipa-python in the spec 
>>>> file.
>>>>
>>>> Honza
>>>>
>>> Updated patch attached.
>>>
>>
>> Thanks, ACK.
>>
>> Pushed to:
>> master: 337faf506462a01c6dbcd00f2039ed5627691864
>> ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976
>>
>
> It turns out I messed up the review (sorry). This fixes the upgrade, 
> but it also breaks ipa-server-install:
>
> 2014-12-10T06:06:44Z DEBUG   [8/27]: starting certificate server instance
> 2014-12-10T06:06:44Z DEBUG Starting external process
> 2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start' 
> 'pki-tomcatd.target'
> 2014-12-10T06:06:45Z DEBUG Process finished, return code=0
> 2014-12-10T06:06:45Z DEBUG stdout=
> 2014-12-10T06:06:45Z DEBUG stderr=
> 2014-12-10T06:06:45Z DEBUG Starting external process
> 2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active' 
> 'pki-tomcatd.target'
> 2014-12-10T06:06:45Z DEBUG Process finished, return code=0
> 2014-12-10T06:06:45Z DEBUG stdout=active
>
> 2014-12-10T06:06:45Z DEBUG stderr=
> 2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443] 
> timeout 300
> 2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on 
> local port
> 2014-12-10T06:06:49Z DEBUG Waiting until the CA is running
> 2014-12-10T06:06:49Z DEBUG Starting external process
> 2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-' 
> '--timeout=30' 
> 'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus'
> 2014-12-10T06:07:09Z DEBUG Process finished, return code=5
> 2014-12-10T06:07:09Z DEBUG stdout=
> 2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49-- 
> https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus
> Resolving vm-088.idm.lab.bos.redhat.com 
> (vm-088.idm.lab.bos.redhat.com)... 10.16.78.88
> Connecting to vm-088.idm.lab.bos.redhat.com 
> (vm-088.idm.lab.bos.redhat.com)|10.16.78.88|:8443... connected.
> ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate, 
> issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’:
>   Self-signed certificate encountered.
> To connect to vm-088.idm.lab.bos.redhat.com insecurely, use 
> `--no-check-certificate'.
>
> 2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted
>
>
> I have reopened the ticket.
>
Patch with '--no-check-certificate' option attached. Before workaround 
there was no certificate check, so it should not be problem if we ignore 
the certificate.
Martin^2

-- 
Martin Basti

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbasti-0178-Fix-don-t-check-certificate-during-getting-CA-status.patch
Type: text/x-patch
Size: 973 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141211/5bdac086/attachment.bin>

More information about the Freeipa-devel mailing list