From 09ead70bf9a081d8e2961a83d5dfe64d8f4c0399 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Mon, 9 Nov 2015 10:53:02 +0100

Subject: [PATCH] cert renewal: make renewal of ipaCert atomic

This prevents errors when renewing other certificates during the renewal of

ipaCert.

https://fedorahosted.org/freeipa/ticket/5436

Reviewed-By: David Kupka <dkupka@redhat.com>

---

 install/restart_scripts/Makefile.am       |  1 +

 install/restart_scripts/renew_ra_cert     |  5 ++++-

 install/restart_scripts/renew_ra_cert_pre | 18 ++++++++++++++++++

 ipaserver/install/cainstance.py           |  2 +-

 ipaserver/install/server/upgrade.py       |  4 ++--

 5 files changed, 26 insertions(+), 4 deletions(-)

 create mode 100755 install/restart_scripts/renew_ra_cert_pre

diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am

index 58057aa3198c892fc8ebb0df403495566ed77d1d..c4bf8195ea85ee0a9dba53fc2581e90c18a9127d 100644

--- a/install/restart_scripts/Makefile.am

+++ b/install/restart_scripts/Makefile.am

@@ -7,6 +7,7 @@ app_DATA =                              \

 	renew_ca_cert			\

 	renew_ra_cert			\

 	stop_pkicad			\

+	renew_ra_cert_pre		\

 	$(NULL)

 EXTRA_DIST =                            \

diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert

index 3a36f739ae53391e502356f7b6b4fd96a536c3a6..988ada946aed47d1f2b76c1add48ea8c8d64a161 100644

--- a/install/restart_scripts/renew_ra_cert

+++ b/install/restart_scripts/renew_ra_cert

@@ -77,8 +77,11 @@ def _main():

 def main():

-    with certs.renewal_lock:

+    try:

         _main()

+    finally:

+        # lock acquired in renew_ra_cert_pre

+        certs.renewal_lock.release('renew_ra_cert')

 try:

diff --git a/install/restart_scripts/renew_ra_cert_pre b/install/restart_scripts/renew_ra_cert_pre

new file mode 100755

index 0000000000000000000000000000000000000000..d0f743c099162e4c5afd7d96287e58492246db35

--- /dev/null

+++ b/install/restart_scripts/renew_ra_cert_pre

@@ -0,0 +1,18 @@

+#!/usr/bin/python2 -E

+#

+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license

+#

+

+import syslog

+import traceback

+

+from ipaserver.install import certs

+

+

+def main():

+    certs.renewal_lock.acquire('renew_ra_cert')

+

+try:

+    main()

+except Exception:

+    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py

index dfe023c08c9b8d1b28f1659b7c5a6395f3afe879..d230c9bdcab68f02cce32a2aeb89ca3e2143eefe 100644

--- a/ipaserver/install/cainstance.py

+++ b/ipaserver/install/cainstance.py

@@ -1305,7 +1305,7 @@ class CAInstance(DogtagInstance):

                 pin=None,

                 pinfile=paths.ALIAS_PWDFILE_TXT,

                 secdir=paths.HTTPD_ALIAS_DIR,

-                pre_command=None,

+                pre_command='renew_ra_cert_pre',

                 post_command='renew_ra_cert')

         except RuntimeError, e:

             self.log.error(

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index e0a45a097171613397db42e1c035f0d818a3ecf5..c8f744c392c7b859459bda63c1f397226553d4ba 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -799,7 +799,7 @@ def certificate_renewal_update(ca):

     dogtag_constants = dogtag.configured_constants()

     # bump version when requests is changed

-    version = 3

+    version = 4

     requests = (

         (

             dogtag_constants.ALIAS_DIR,

@@ -837,7 +837,7 @@ def certificate_renewal_update(ca):

             paths.HTTPD_ALIAS_DIR,

             'ipaCert',

             'dogtag-ipa-ca-renew-agent',

-            None,

+            'renew_ra_cert_pre',

             'renew_ra_cert',

             None,

         ),

-- 

2.4.3