From 19494c2409d40fc25387ddafe94c59ef09f68a86 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 6 Jan 2015 13:08:54 +0000
Subject: [PATCH] Restart dogtag when its server certificate is renewed
https://fedorahosted.org/freeipa/ticket/4803
Reviewed-By: David Kupka <dkupka@redhat.com>
---
install/tools/ipa-upgradeconfig | 6 +++---
ipaserver/install/cainstance.py | 7 ++++---
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 005f3a72df115e63c81a7ca8825fb12cac0a5f81..b00161d58418d6205c0ba0db0260af272ec96130 100755
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -778,7 +778,7 @@ def certificate_renewal_update(ca):
dogtag_constants = dogtag.configured_constants()
# bump version when requests is changed
- version = 2
+ version = 3
requests = (
(
dogtag_constants.ALIAS_DIR,
@@ -824,8 +824,8 @@ def certificate_renewal_update(ca):
dogtag_constants.ALIAS_DIR,
'Server-Cert cert-pki-ca',
'dogtag-ipa-renew-agent',
- None,
- None,
+ 'stop_pkicad',
+ 'renew_ca_cert',
None,
),
)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ac494917744ce0fa2d8e38ce5ce9dab6b24bdebf..aac7f4c7ccbad5a68bfd9756c7f7638416e3f6a0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1534,16 +1534,17 @@ class CAInstance(service.Service):
done by the renewal script, renew_ca_cert once all the subsystem
certificates are renewed.
"""
+ nickname = 'Server-Cert cert-pki-ca'
pin = self.__get_ca_pin()
try:
certmonger.dogtag_start_tracking(
ca='dogtag-ipa-renew-agent',
- nickname='Server-Cert cert-pki-ca',
+ nickname=nickname,
pin=pin,
pinfile=None,
secdir=self.dogtag_constants.ALIAS_DIR,
- pre_command=None,
- post_command=None)
+ pre_command='stop_pkicad',
+ post_command='renew_ca_cert "%s"' % nickname)
except RuntimeError, e:
root_logger.error(
"certmonger failed to start tracking certificate: %s" % e)
--
2.1.0