|
 |
e3ffab |
From 19494c2409d40fc25387ddafe94c59ef09f68a86 Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
e3ffab |
Date: Tue, 6 Jan 2015 13:08:54 +0000
|
|
|
e3ffab |
Subject: [PATCH] Restart dogtag when its server certificate is renewed
|
|
|
e3ffab |
|
|
|
e3ffab |
https://fedorahosted.org/freeipa/ticket/4803
|
|
|
e3ffab |
|
|
|
e3ffab |
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
e3ffab |
---
|
|
|
e3ffab |
install/tools/ipa-upgradeconfig | 6 +++---
|
|
|
e3ffab |
ipaserver/install/cainstance.py | 7 ++++---
|
|
|
e3ffab |
2 files changed, 7 insertions(+), 6 deletions(-)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
|
|
|
e3ffab |
index 005f3a72df115e63c81a7ca8825fb12cac0a5f81..b00161d58418d6205c0ba0db0260af272ec96130 100755
|
|
|
e3ffab |
--- a/install/tools/ipa-upgradeconfig
|
|
|
e3ffab |
+++ b/install/tools/ipa-upgradeconfig
|
|
|
e3ffab |
@@ -778,7 +778,7 @@ def certificate_renewal_update(ca):
|
|
|
e3ffab |
dogtag_constants = dogtag.configured_constants()
|
|
|
e3ffab |
|
|
|
e3ffab |
# bump version when requests is changed
|
|
|
e3ffab |
- version = 2
|
|
|
e3ffab |
+ version = 3
|
|
|
e3ffab |
requests = (
|
|
|
e3ffab |
(
|
|
|
e3ffab |
dogtag_constants.ALIAS_DIR,
|
|
|
e3ffab |
@@ -824,8 +824,8 @@ def certificate_renewal_update(ca):
|
|
|
e3ffab |
dogtag_constants.ALIAS_DIR,
|
|
|
e3ffab |
'Server-Cert cert-pki-ca',
|
|
|
e3ffab |
'dogtag-ipa-renew-agent',
|
|
|
e3ffab |
- None,
|
|
|
e3ffab |
- None,
|
|
|
e3ffab |
+ 'stop_pkicad',
|
|
|
e3ffab |
+ 'renew_ca_cert',
|
|
|
e3ffab |
None,
|
|
|
e3ffab |
),
|
|
|
e3ffab |
)
|
|
|
e3ffab |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
e3ffab |
index ac494917744ce0fa2d8e38ce5ce9dab6b24bdebf..aac7f4c7ccbad5a68bfd9756c7f7638416e3f6a0 100644
|
|
|
e3ffab |
--- a/ipaserver/install/cainstance.py
|
|
|
e3ffab |
+++ b/ipaserver/install/cainstance.py
|
|
|
e3ffab |
@@ -1534,16 +1534,17 @@ class CAInstance(service.Service):
|
|
|
e3ffab |
done by the renewal script, renew_ca_cert once all the subsystem
|
|
|
e3ffab |
certificates are renewed.
|
|
|
e3ffab |
"""
|
|
|
e3ffab |
+ nickname = 'Server-Cert cert-pki-ca'
|
|
|
e3ffab |
pin = self.__get_ca_pin()
|
|
|
e3ffab |
try:
|
|
|
e3ffab |
certmonger.dogtag_start_tracking(
|
|
|
e3ffab |
ca='dogtag-ipa-renew-agent',
|
|
|
e3ffab |
- nickname='Server-Cert cert-pki-ca',
|
|
|
e3ffab |
+ nickname=nickname,
|
|
|
e3ffab |
pin=pin,
|
|
|
e3ffab |
pinfile=None,
|
|
|
e3ffab |
secdir=self.dogtag_constants.ALIAS_DIR,
|
|
|
e3ffab |
- pre_command=None,
|
|
|
e3ffab |
- post_command=None)
|
|
|
e3ffab |
+ pre_command='stop_pkicad',
|
|
|
e3ffab |
+ post_command='renew_ca_cert "%s"' % nickname)
|
|
|
e3ffab |
except RuntimeError, e:
|
|
|
e3ffab |
root_logger.error(
|
|
|
e3ffab |
"certmonger failed to start tracking certificate: %s" % e)
|
|
|
e3ffab |
--
|
|
|
e3ffab |
2.1.0
|
|
|
e3ffab |
|