|
|
9991ea |
From 34c054ea9203ffa804bafb20afa236af867ce572 Mon Sep 17 00:00:00 2001
|
|
|
9991ea |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
9991ea |
Date: Tue, 15 Oct 2013 17:47:12 +0000
|
|
|
9991ea |
Subject: [PATCH] PKI service restart after CA renewal failed
|
|
|
9991ea |
|
|
|
9991ea |
Fix both the service restart procedure and registration of old
|
|
|
9991ea |
pki-cad well known service name.
|
|
|
9991ea |
|
|
|
9991ea |
This patch was adapted from original patch of Jan Cholasta 178 to
|
|
|
9991ea |
fix ticket 4092.
|
|
|
9991ea |
|
|
|
9991ea |
https://fedorahosted.org/freeipa/ticket/4092
|
|
|
9991ea |
---
|
|
|
9991ea |
install/restart_scripts/renew_ca_cert | 16 +++++++++-------
|
|
|
9991ea |
install/restart_scripts/restart_pkicad | 30 ++++++++++++++++++------------
|
|
|
9991ea |
install/restart_scripts/stop_pkicad | 16 ++++++++--------
|
|
|
9991ea |
ipapython/dogtag.py | 4 ++++
|
|
|
9991ea |
ipapython/platform/base/__init__.py | 2 +-
|
|
|
9991ea |
ipaserver/install/cainstance.py | 4 ++--
|
|
|
9991ea |
6 files changed, 42 insertions(+), 30 deletions(-)
|
|
|
9991ea |
|
|
|
9991ea |
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
|
|
|
9991ea |
index ab394b970eaee28bc386d4d1ba737643414e2680..b10e4b842f3b9a54962402cddce8710eae4538b8 100644
|
|
|
9991ea |
--- a/install/restart_scripts/renew_ca_cert
|
|
|
9991ea |
+++ b/install/restart_scripts/renew_ca_cert
|
|
|
9991ea |
@@ -49,6 +49,7 @@ api.finalize()
|
|
|
9991ea |
|
|
|
9991ea |
configured_constants = dogtag.configured_constants(api)
|
|
|
9991ea |
alias_dir = configured_constants.ALIAS_DIR
|
|
|
9991ea |
+dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
|
|
|
9991ea |
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
|
|
|
9991ea |
|
|
|
9991ea |
# Fetch the new certificate
|
|
|
9991ea |
@@ -106,12 +107,13 @@ if nickname == 'auditSigningCert cert-pki-ca':
|
|
|
9991ea |
# off the servlet to verify that the CA is actually up and responding so
|
|
|
9991ea |
# when this returns it should be good-to-go. The CA was stopped in the
|
|
|
9991ea |
# pre-save state.
|
|
|
9991ea |
-syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance)
|
|
|
9991ea |
+syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
|
|
|
9991ea |
try:
|
|
|
9991ea |
- if configured_constants.DOGTAG_VERSION == 9:
|
|
|
9991ea |
- ipaservices.knownservices.pki_cad.start(dogtag_instance)
|
|
|
9991ea |
- else:
|
|
|
9991ea |
- ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
|
|
|
9991ea |
+ dogtag_service.start(dogtag_instance)
|
|
|
9991ea |
except Exception, e:
|
|
|
9991ea |
- syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
|
|
|
9991ea |
- (dogtag_instance, str(e)))
|
|
|
9991ea |
+ syslog.syslog(
|
|
|
9991ea |
+ syslog.LOG_ERR,
|
|
|
9991ea |
+ "Cannot start %s: %s" % (dogtag_service.service_name, e))
|
|
|
9991ea |
+else:
|
|
|
9991ea |
+ syslog.syslog(
|
|
|
9991ea |
+ syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
|
|
|
9991ea |
diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad
|
|
|
9991ea |
index a58c3f31e1bd288587842ba5fc4335c967b9405e..f840aeb1a228aee88b1c498700f733f1b90686f0 100644
|
|
|
9991ea |
--- a/install/restart_scripts/restart_pkicad
|
|
|
9991ea |
+++ b/install/restart_scripts/restart_pkicad
|
|
|
9991ea |
@@ -33,18 +33,25 @@ api.finalize()
|
|
|
9991ea |
|
|
|
9991ea |
configured_constants = dogtag.configured_constants(api)
|
|
|
9991ea |
alias_dir = configured_constants.ALIAS_DIR
|
|
|
9991ea |
+dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
|
|
|
9991ea |
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
|
|
|
9991ea |
|
|
|
9991ea |
# dogtag opens its NSS database in read/write mode so we need it
|
|
|
9991ea |
# shut down so certmonger can open it read/write mode. This avoids
|
|
|
9991ea |
# database corruption. It should already be stopped by the pre-command
|
|
|
9991ea |
# but lets be sure.
|
|
|
9991ea |
-if ipaservices.knownservices.pki_cad.is_running(dogtag_instance):
|
|
|
9991ea |
+if dogtag_service.is_running(dogtag_instance):
|
|
|
9991ea |
+ syslog.syslog(
|
|
|
9991ea |
+ syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
|
|
|
9991ea |
try:
|
|
|
9991ea |
- ipaservices.knownservices.pki_cad.stop(dogtag_instance)
|
|
|
9991ea |
+ dogtag_service.stop(dogtag_instance)
|
|
|
9991ea |
except Exception, e:
|
|
|
9991ea |
- syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
|
|
|
9991ea |
- (dogtag_instance, str(e)))
|
|
|
9991ea |
+ syslog.syslog(
|
|
|
9991ea |
+ syslog.LOG_ERR,
|
|
|
9991ea |
+ "Cannot stop %s: %s" % (dogtag_service.service_name, e))
|
|
|
9991ea |
+ else:
|
|
|
9991ea |
+ syslog.syslog(
|
|
|
9991ea |
+ syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
|
|
|
9991ea |
|
|
|
9991ea |
# Fix permissions on the audit cert if we're updating it
|
|
|
9991ea |
if nickname == 'auditSigningCert cert-pki-ca':
|
|
|
9991ea |
@@ -55,14 +62,13 @@ if nickname == 'auditSigningCert cert-pki-ca':
|
|
|
9991ea |
]
|
|
|
9991ea |
db.run_certutil(args)
|
|
|
9991ea |
|
|
|
9991ea |
+syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
|
|
|
9991ea |
try:
|
|
|
9991ea |
- if configured_constants.DOGTAG_VERSION == 9:
|
|
|
9991ea |
- ipaservices.knownservices.pki_cad.start(dogtag_instance)
|
|
|
9991ea |
- else:
|
|
|
9991ea |
- ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
|
|
|
9991ea |
+ dogtag_service.start(dogtag_instance)
|
|
|
9991ea |
except Exception, e:
|
|
|
9991ea |
- syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
|
|
|
9991ea |
- (dogtag_instance, str(e)))
|
|
|
9991ea |
+ syslog.syslog(
|
|
|
9991ea |
+ syslog.LOG_ERR,
|
|
|
9991ea |
+ "Cannot start %s: %s" % (dogtag_service.service_name, e))
|
|
|
9991ea |
else:
|
|
|
9991ea |
- syslog.syslog(syslog.LOG_NOTICE, "certmonger started %sd, nickname '%s'" %
|
|
|
9991ea |
- (dogtag_instance, nickname))
|
|
|
9991ea |
+ syslog.syslog(
|
|
|
9991ea |
+ syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
|
|
|
9991ea |
diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad
|
|
|
9991ea |
index c8589b286eefbe1c3d79e2a6dab7adfd3ff56b2a..bbaf8895e3a86899ee5bd794eb595fd43316028b 100644
|
|
|
9991ea |
--- a/install/restart_scripts/stop_pkicad
|
|
|
9991ea |
+++ b/install/restart_scripts/stop_pkicad
|
|
|
9991ea |
@@ -29,15 +29,15 @@ api.bootstrap(context='restart')
|
|
|
9991ea |
api.finalize()
|
|
|
9991ea |
|
|
|
9991ea |
configured_constants = dogtag.configured_constants(api)
|
|
|
9991ea |
+dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
|
|
|
9991ea |
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
|
|
|
9991ea |
|
|
|
9991ea |
-syslog.syslog(syslog.LOG_NOTICE, "certmonger stopping %sd" % dogtag_instance)
|
|
|
9991ea |
-
|
|
|
9991ea |
+syslog.syslog(syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
|
|
|
9991ea |
try:
|
|
|
9991ea |
- if configured_constants.DOGTAG_VERSION == 9:
|
|
|
9991ea |
- ipaservices.knownservices.pki_cad.stop(dogtag_instance)
|
|
|
9991ea |
- else:
|
|
|
9991ea |
- ipaservices.knownservices.pki_tomcatd.stop(dogtag_instance)
|
|
|
9991ea |
+ dogtag_service.stop(dogtag_instance)
|
|
|
9991ea |
except Exception, e:
|
|
|
9991ea |
- syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
|
|
|
9991ea |
- (dogtag_instance, str(e)))
|
|
|
9991ea |
+ syslog.syslog(
|
|
|
9991ea |
+ syslog.LOG_ERR, "Cannot stop %s: %s" % (dogtag_service.service_name, e))
|
|
|
9991ea |
+else:
|
|
|
9991ea |
+ syslog.syslog(
|
|
|
9991ea |
+ syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
|
|
|
9991ea |
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
|
|
|
9991ea |
index ea769b0275c4642d5da457996165e5a348cb7299..f829b9340d1ce55b2adae4817018de11b894c92d 100644
|
|
|
9991ea |
--- a/ipapython/dogtag.py
|
|
|
9991ea |
+++ b/ipapython/dogtag.py
|
|
|
9991ea |
@@ -62,6 +62,8 @@ class Dogtag10Constants(object):
|
|
|
9991ea |
SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
|
|
|
9991ea |
ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
|
|
|
9991ea |
|
|
|
9991ea |
+ SERVICE_NAME = 'pki_tomcatd'
|
|
|
9991ea |
+
|
|
|
9991ea |
RACERT_LINE_SEP = '\n'
|
|
|
9991ea |
|
|
|
9991ea |
IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
|
|
|
9991ea |
@@ -92,6 +94,8 @@ class Dogtag9Constants(object):
|
|
|
9991ea |
SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
|
|
|
9991ea |
ALIAS_DIR = '%s/alias' % PKI_ROOT
|
|
|
9991ea |
|
|
|
9991ea |
+ SERVICE_NAME = 'pki-cad'
|
|
|
9991ea |
+
|
|
|
9991ea |
RACERT_LINE_SEP = '\r\n'
|
|
|
9991ea |
|
|
|
9991ea |
ADMIN_SECURE_PORT = 9445
|
|
|
9991ea |
diff --git a/ipapython/platform/base/__init__.py b/ipapython/platform/base/__init__.py
|
|
|
9991ea |
index e2aa33faf9ccf182c778dfdbd8fd68d3686deae0..d76bc73a7d159c2dd43e281fa9916f245d88aaf3 100644
|
|
|
9991ea |
--- a/ipapython/platform/base/__init__.py
|
|
|
9991ea |
+++ b/ipapython/platform/base/__init__.py
|
|
|
9991ea |
@@ -27,7 +27,7 @@
|
|
|
9991ea |
wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
|
|
|
9991ea |
'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
|
|
|
9991ea |
'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
|
|
|
9991ea |
- 'rpcidmapd', 'pki_tomcatd', 'pki-cad', 'chronyd']
|
|
|
9991ea |
+ 'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd']
|
|
|
9991ea |
|
|
|
9991ea |
# System may support more time&date services. FreeIPA supports ntpd only, other
|
|
|
9991ea |
# services will be disabled during IPA installation
|
|
|
9991ea |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
9991ea |
index ac5c81de8c57194160cbfd2fa79c776bf2f39625..52c91b68c2d073a9b1c6aedc1811aa26db046e6b 100644
|
|
|
9991ea |
--- a/ipaserver/install/cainstance.py
|
|
|
9991ea |
+++ b/ipaserver/install/cainstance.py
|
|
|
9991ea |
@@ -1283,7 +1283,7 @@ def enable_client_auth_to_db(self):
|
|
|
9991ea |
"""
|
|
|
9991ea |
caconfig = dogtag.install_constants.CS_CFG_PATH
|
|
|
9991ea |
|
|
|
9991ea |
- with stopped_service('pki_tomcatd',
|
|
|
9991ea |
+ with stopped_service(self.dogtag_constants.SERVICE_NAME,
|
|
|
9991ea |
instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
|
|
|
9991ea |
|
|
|
9991ea |
# Enable file publishing, disable LDAP
|
|
|
9991ea |
@@ -1723,7 +1723,7 @@ def update_cert_config(nickname, cert, dogtag_constants=None):
|
|
|
9991ea |
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
|
|
|
9991ea |
'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
|
|
|
9991ea |
|
|
|
9991ea |
- with stopped_service('pki_tomcatd',
|
|
|
9991ea |
+ with stopped_service(dogtag_constants.SERVICE_NAME,
|
|
|
9991ea |
instance_name=dogtag_constants.PKI_INSTANCE_NAME):
|
|
|
9991ea |
|
|
|
9991ea |
installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
|
|
|
9991ea |
--
|
|
|
9991ea |
1.8.4.2
|
|
|
9991ea |
|