From 71cc3d08a80f0bcaafc9537ca7a1953ca1d3191d Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Nov 01 2012 14:52:30 +0000 Subject: After unininstall see if certmonger is still tracking any of our certs. Rather than providing a list of nicknames I'm going to look at the NSS databases directly. Anything in there is suspect and this will help future-proof us. certmonger may be tracking other certificates but we only care about a subset of them, so don't complain if there are other tracked certificates. This reads the certmonger files directly so the service doesn't need to be started. https://fedorahosted.org/freeipa/ticket/2702 --- diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6d1e699..70e5153 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -52,6 +52,7 @@ from ipaserver.install import sysupgrade from ipaserver.install import service, installutils from ipapython import version +from ipapython import certmonger from ipaserver.install.installutils import * from ipaserver.plugins.ldap2 import ldap2 @@ -527,7 +528,14 @@ def uninstall(): rv = 1 if has_state: - root_logger.warning('Some installation state has not been restored.\nThis will cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.') + root_logger.error('Some installation state has not been restored.\nThis may cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.') + + # Note that this name will be wrong after the first uninstall. + dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm)) + dirs = [dirname, dogtag.configured_constants().ALIAS_DIR, certs.NSS_DIR] + ids = certmonger.check_state(dirs) + if ids: + root_logger.error('Some certificates may still be tracked by certmonger.\nThis will cause re-installation to fail.\nStart the certmonger service and list the certificates being tracked\n # getcert list\nThese may be untracked by executing\n # getcert stop-tracking -i \nfor each id in: %s' % ', '.join(ids)) return rv diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 9cc4466..22678da 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -114,6 +114,27 @@ def get_request_id(criteria): return reqid +def get_requests_for_dir(dir): + """ + Return a list containing the request ids for a given NSS database + directory. + """ + reqid=[] + fileList=os.listdir(REQUEST_DIR) + for file in fileList: + rv = find_request_value(os.path.join(REQUEST_DIR, file), + 'cert_storage_location') + if rv is None: + continue + rv = os.path.abspath(rv).rstrip() + if rv != dir: + continue + id = find_request_value(os.path.join(REQUEST_DIR, file), 'id') + if id is not None: + reqid.append(id.rstrip()) + + return reqid + def add_request_value(request_id, directive, value): """ Add a new directive to a certmonger request file. @@ -393,6 +414,21 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command): (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin]) +def check_state(dirs): + """ + Given a set of directories and nicknames verify that we are no longer + tracking certificates. + + dirs is a list of directories to test for. We will return a tuple + of nicknames for any tracked certificates found. + + This can only check for NSS-based certificates. + """ + reqids = [] + for dir in dirs: + reqids.extend(get_requests_for_dir(dir)) + + return reqids if __name__ == '__main__': request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM")