[Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Jan Cholasta
jcholast at redhat.com
Thu Dec 11 10:23:03 UTC 2014
Dne 11.12.2014 v 10:01 Martin Basti napsal(a):
> On 10/12/14 19:21, Jan Cholasta wrote:
>> Dne 10.12.2014 v 18:01 Jan Cholasta napsal(a):
>>> Dne 1.12.2014 v 16:48 Martin Basti napsal(a):
>>>> On 01/12/14 08:46, Jan Cholasta wrote:
>>>>> Hi,
>>>>>
>>>>> Dne 27.11.2014 v 14:24 Martin Basti napsal(a):
>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4676
>>>>>> Replaces current workaround. Should go to 4.1.3.
>>>>>> Patch attached.
>>>>>
>>>>> When constructing URLs with host:port, please use
>>>>> ipautil.format_netloc().
>>>>>
>>>>> wget should be added as a dependency of freeipa-python in the spec
>>>>> file.
>>>>>
>>>>> Honza
>>>>>
>>>> Updated patch attached.
>>>>
>>>
>>> Thanks, ACK.
>>>
>>> Pushed to:
>>> master: 337faf506462a01c6dbcd00f2039ed5627691864
>>> ipa-4-1: 5052af773f652bc19e91fe49e15351e5c5c7d976
>>>
>>
>> It turns out I messed up the review (sorry). This fixes the upgrade,
>> but it also breaks ipa-server-install:
>>
>> 2014-12-10T06:06:44Z DEBUG [8/27]: starting certificate server instance
>> 2014-12-10T06:06:44Z DEBUG Starting external process
>> 2014-12-10T06:06:44Z DEBUG args='/bin/systemctl' 'start'
>> 'pki-tomcatd.target'
>> 2014-12-10T06:06:45Z DEBUG Process finished, return code=0
>> 2014-12-10T06:06:45Z DEBUG stdout=
>> 2014-12-10T06:06:45Z DEBUG stderr=
>> 2014-12-10T06:06:45Z DEBUG Starting external process
>> 2014-12-10T06:06:45Z DEBUG args='/bin/systemctl' 'is-active'
>> 'pki-tomcatd.target'
>> 2014-12-10T06:06:45Z DEBUG Process finished, return code=0
>> 2014-12-10T06:06:45Z DEBUG stdout=active
>>
>> 2014-12-10T06:06:45Z DEBUG stderr=
>> 2014-12-10T06:06:45Z DEBUG wait_for_open_ports: localhost [8080, 8443]
>> timeout 300
>> 2014-12-10T06:06:49Z DEBUG The httpd proxy is not installed, wait on
>> local port
>> 2014-12-10T06:06:49Z DEBUG Waiting until the CA is running
>> 2014-12-10T06:06:49Z DEBUG Starting external process
>> 2014-12-10T06:06:49Z DEBUG args='/usr/bin/wget' '-S' '-O' '-'
>> '--timeout=30'
>> 'https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus'
>> 2014-12-10T06:07:09Z DEBUG Process finished, return code=5
>> 2014-12-10T06:07:09Z DEBUG stdout=
>> 2014-12-10T06:07:09Z DEBUG stderr=--2014-12-10 01:06:49--
>> https://vm-088.idm.lab.bos.redhat.com:8443/ca/admin/ca/getStatus
>> Resolving vm-088.idm.lab.bos.redhat.com
>> (vm-088.idm.lab.bos.redhat.com)... 10.16.78.88
>> Connecting to vm-088.idm.lab.bos.redhat.com
>> (vm-088.idm.lab.bos.redhat.com)|10.16.78.88|:8443... connected.
>> ERROR: cannot verify vm-088.idm.lab.bos.redhat.com's certificate,
>> issued by ‘/O=IDM.LAB.BOS.REDHAT.COM/CN=Certificate Authority’:
>> Self-signed certificate encountered.
>> To connect to vm-088.idm.lab.bos.redhat.com insecurely, use
>> `--no-check-certificate'.
>>
>> 2014-12-10T06:07:09Z DEBUG The CA status is: check interrupted
>>
>>
>> I have reopened the ticket.
>>
> Patch with '--no-check-certificate' option attached. Before workaround
> there was no certificate check, so it should not be problem if we ignore
> the certificate.
> Martin^2
>
Thanks, ACK.
Pushed to:
master: 95becc1d542c78721088398eddbfd0d0ffe9b27f
ipa-4-1: 8440c2ee97e1c7e29e20629a2579af28a6d654be
--
Jan Cholasta
More information about the Freeipa-devel
mailing list