Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check the result of cert request in replica installer #285

Closed
wants to merge 1 commit into from
Closed

Check the result of cert request in replica installer #285

wants to merge 1 commit into from

Conversation

flo-renaud
Copy link
Contributor

@flo-renaud flo-renaud commented Nov 29, 2016
edited by MartinBasti

When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.

Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:

[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

https://fedorahosted.org/freeipa/ticket/6514

@tkrizek tkrizek self-assigned this Nov 30, 2016
@MartinBasti
Copy link
Contributor

Can we add cert state to error message? raise RuntimeError("Certificate issuance failed") is not too much detailed in request_and_wait_for_cert.

Something like:

"Certificate issuance failed (CA_UNREACHABLE)"

@tkrizek
Copy link
Contributor

tkrizek commented Nov 30, 2016

Functional ACK. If it's possible, it would be nice to have a bit more info in the error msg as @mbasti-rh pointed out.

@flo-renaud
Check the result of cert request in replica installer
8bbca8a 
When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.

Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:

  [28/45]: retrieving DS Certificate
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

https://fedorahosted.org/freeipa/ticket/6514
@flo-renaud
Copy link
Contributor Author

Thanks for the suggestion. I added certmonger's request status in the exception message.

@MartinBasti
Copy link
Contributor

LGTM

@tkrizek tkrizek added the ack Pull Request approved, can be merged label Nov 30, 2016
@MartinBasti
Copy link
Contributor

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/dbb98765d73519289ee22f3de1a5ccde140f6f5d

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label Nov 30, 2016
@flo-renaud flo-renaud deleted the issue6514 branch March 14, 2017 07:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tkrizek tkrizek

Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@flo-renaud @MartinBasti @tkrizek