9991ea
From 34c054ea9203ffa804bafb20afa236af867ce572 Mon Sep 17 00:00:00 2001
9991ea
From: Jan Cholasta <jcholast@redhat.com>
9991ea
Date: Tue, 15 Oct 2013 17:47:12 +0000
9991ea
Subject: [PATCH] PKI service restart after CA renewal failed
9991ea
9991ea
Fix both the service restart procedure and registration of old
9991ea
pki-cad well known service name.
9991ea
9991ea
This patch was adapted from original patch of Jan Cholasta 178 to
9991ea
fix ticket 4092.
9991ea
9991ea
https://fedorahosted.org/freeipa/ticket/4092
9991ea
---
9991ea
 install/restart_scripts/renew_ca_cert  | 16 +++++++++-------
9991ea
 install/restart_scripts/restart_pkicad | 30 ++++++++++++++++++------------
9991ea
 install/restart_scripts/stop_pkicad    | 16 ++++++++--------
9991ea
 ipapython/dogtag.py                    |  4 ++++
9991ea
 ipapython/platform/base/__init__.py    |  2 +-
9991ea
 ipaserver/install/cainstance.py        |  4 ++--
9991ea
 6 files changed, 42 insertions(+), 30 deletions(-)
9991ea
9991ea
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
9991ea
index ab394b970eaee28bc386d4d1ba737643414e2680..b10e4b842f3b9a54962402cddce8710eae4538b8 100644
9991ea
--- a/install/restart_scripts/renew_ca_cert
9991ea
+++ b/install/restart_scripts/renew_ca_cert
9991ea
@@ -49,6 +49,7 @@ api.finalize()
9991ea
 
9991ea
 configured_constants = dogtag.configured_constants(api)
9991ea
 alias_dir = configured_constants.ALIAS_DIR
9991ea
+dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
9991ea
 dogtag_instance = configured_constants.PKI_INSTANCE_NAME
9991ea
 
9991ea
 # Fetch the new certificate
9991ea
@@ -106,12 +107,13 @@ if nickname == 'auditSigningCert cert-pki-ca':
9991ea
 # off the servlet to verify that the CA is actually up and responding so
9991ea
 # when this returns it should be good-to-go. The CA was stopped in the
9991ea
 # pre-save state.
9991ea
-syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance)
9991ea
+syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
9991ea
 try:
9991ea
-    if configured_constants.DOGTAG_VERSION == 9:
9991ea
-        ipaservices.knownservices.pki_cad.start(dogtag_instance)
9991ea
-    else:
9991ea
-        ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
9991ea
+    dogtag_service.start(dogtag_instance)
9991ea
 except Exception, e:
9991ea
-    syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
9991ea
-                  (dogtag_instance, str(e)))
9991ea
+    syslog.syslog(
9991ea
+        syslog.LOG_ERR,
9991ea
+        "Cannot start %s: %s" % (dogtag_service.service_name, e))
9991ea
+else:
9991ea
+    syslog.syslog(
9991ea
+        syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
9991ea
diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad
9991ea
index a58c3f31e1bd288587842ba5fc4335c967b9405e..f840aeb1a228aee88b1c498700f733f1b90686f0 100644
9991ea
--- a/install/restart_scripts/restart_pkicad
9991ea
+++ b/install/restart_scripts/restart_pkicad
9991ea
@@ -33,18 +33,25 @@ api.finalize()
9991ea
 
9991ea
 configured_constants = dogtag.configured_constants(api)
9991ea
 alias_dir = configured_constants.ALIAS_DIR
9991ea
+dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
9991ea
 dogtag_instance = configured_constants.PKI_INSTANCE_NAME
9991ea
 
9991ea
 # dogtag opens its NSS database in read/write mode so we need it
9991ea
 # shut down so certmonger can open it read/write mode. This avoids
9991ea
 # database corruption. It should already be stopped by the pre-command
9991ea
 # but lets be sure.
9991ea
-if ipaservices.knownservices.pki_cad.is_running(dogtag_instance):
9991ea
+if dogtag_service.is_running(dogtag_instance):
9991ea
+    syslog.syslog(
9991ea
+        syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
9991ea
     try:
9991ea
-        ipaservices.knownservices.pki_cad.stop(dogtag_instance)
9991ea
+        dogtag_service.stop(dogtag_instance)
9991ea
     except Exception, e:
9991ea
-        syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
9991ea
-                      (dogtag_instance, str(e)))
9991ea
+        syslog.syslog(
9991ea
+            syslog.LOG_ERR,
9991ea
+            "Cannot stop %s: %s" % (dogtag_service.service_name, e))
9991ea
+    else:
9991ea
+        syslog.syslog(
9991ea
+            syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
9991ea
 
9991ea
 # Fix permissions on the audit cert if we're updating it
9991ea
 if nickname == 'auditSigningCert cert-pki-ca':
9991ea
@@ -55,14 +62,13 @@ if nickname == 'auditSigningCert cert-pki-ca':
9991ea
            ]
9991ea
     db.run_certutil(args)
9991ea
 
9991ea
+syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
9991ea
 try:
9991ea
-    if configured_constants.DOGTAG_VERSION == 9:
9991ea
-        ipaservices.knownservices.pki_cad.start(dogtag_instance)
9991ea
-    else:
9991ea
-        ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
9991ea
+    dogtag_service.start(dogtag_instance)
9991ea
 except Exception, e:
9991ea
-    syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
9991ea
-                  (dogtag_instance, str(e)))
9991ea
+    syslog.syslog(
9991ea
+        syslog.LOG_ERR,
9991ea
+        "Cannot start %s: %s" % (dogtag_service.service_name, e))
9991ea
 else:
9991ea
-    syslog.syslog(syslog.LOG_NOTICE, "certmonger started %sd, nickname '%s'" %
9991ea
-                  (dogtag_instance, nickname))
9991ea
+    syslog.syslog(
9991ea
+        syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
9991ea
diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad
9991ea
index c8589b286eefbe1c3d79e2a6dab7adfd3ff56b2a..bbaf8895e3a86899ee5bd794eb595fd43316028b 100644
9991ea
--- a/install/restart_scripts/stop_pkicad
9991ea
+++ b/install/restart_scripts/stop_pkicad
9991ea
@@ -29,15 +29,15 @@ api.bootstrap(context='restart')
9991ea
 api.finalize()
9991ea
 
9991ea
 configured_constants = dogtag.configured_constants(api)
9991ea
+dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
9991ea
 dogtag_instance = configured_constants.PKI_INSTANCE_NAME
9991ea
 
9991ea
-syslog.syslog(syslog.LOG_NOTICE, "certmonger stopping %sd" % dogtag_instance)
9991ea
-
9991ea
+syslog.syslog(syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
9991ea
 try:
9991ea
-    if configured_constants.DOGTAG_VERSION == 9:
9991ea
-        ipaservices.knownservices.pki_cad.stop(dogtag_instance)
9991ea
-    else:
9991ea
-        ipaservices.knownservices.pki_tomcatd.stop(dogtag_instance)
9991ea
+    dogtag_service.stop(dogtag_instance)
9991ea
 except Exception, e:
9991ea
-    syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
9991ea
-                  (dogtag_instance, str(e)))
9991ea
+    syslog.syslog(
9991ea
+        syslog.LOG_ERR, "Cannot stop %s: %s" % (dogtag_service.service_name, e))
9991ea
+else:
9991ea
+    syslog.syslog(
9991ea
+        syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
9991ea
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
9991ea
index ea769b0275c4642d5da457996165e5a348cb7299..f829b9340d1ce55b2adae4817018de11b894c92d 100644
9991ea
--- a/ipapython/dogtag.py
9991ea
+++ b/ipapython/dogtag.py
9991ea
@@ -62,6 +62,8 @@ class Dogtag10Constants(object):
9991ea
     SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
9991ea
     ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
9991ea
 
9991ea
+    SERVICE_NAME = 'pki_tomcatd'
9991ea
+
9991ea
     RACERT_LINE_SEP = '\n'
9991ea
 
9991ea
     IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
9991ea
@@ -92,6 +94,8 @@ class Dogtag9Constants(object):
9991ea
     SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
9991ea
     ALIAS_DIR = '%s/alias' % PKI_ROOT
9991ea
 
9991ea
+    SERVICE_NAME = 'pki-cad'
9991ea
+
9991ea
     RACERT_LINE_SEP = '\r\n'
9991ea
 
9991ea
     ADMIN_SECURE_PORT = 9445
9991ea
diff --git a/ipapython/platform/base/__init__.py b/ipapython/platform/base/__init__.py
9991ea
index e2aa33faf9ccf182c778dfdbd8fd68d3686deae0..d76bc73a7d159c2dd43e281fa9916f245d88aaf3 100644
9991ea
--- a/ipapython/platform/base/__init__.py
9991ea
+++ b/ipapython/platform/base/__init__.py
9991ea
@@ -27,7 +27,7 @@
9991ea
 wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
9991ea
                      'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
9991ea
                      'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
9991ea
-                     'rpcidmapd', 'pki_tomcatd', 'pki-cad', 'chronyd']
9991ea
+                     'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd']
9991ea
 
9991ea
 # System may support more time&date services. FreeIPA supports ntpd only, other
9991ea
 # services will be disabled during IPA installation
9991ea
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
9991ea
index ac5c81de8c57194160cbfd2fa79c776bf2f39625..52c91b68c2d073a9b1c6aedc1811aa26db046e6b 100644
9991ea
--- a/ipaserver/install/cainstance.py
9991ea
+++ b/ipaserver/install/cainstance.py
9991ea
@@ -1283,7 +1283,7 @@ def enable_client_auth_to_db(self):
9991ea
         """
9991ea
         caconfig = dogtag.install_constants.CS_CFG_PATH
9991ea
 
9991ea
-        with stopped_service('pki_tomcatd',
9991ea
+        with stopped_service(self.dogtag_constants.SERVICE_NAME,
9991ea
                         instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
9991ea
 
9991ea
             # Enable file publishing, disable LDAP
9991ea
@@ -1723,7 +1723,7 @@ def update_cert_config(nickname, cert, dogtag_constants=None):
9991ea
                   'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
9991ea
                   'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
9991ea
 
9991ea
-    with stopped_service('pki_tomcatd',
9991ea
+    with stopped_service(dogtag_constants.SERVICE_NAME,
9991ea
                          instance_name=dogtag_constants.PKI_INSTANCE_NAME):
9991ea
 
9991ea
         installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
9991ea
-- 
9991ea
1.8.4.2
9991ea