From 09ead70bf9a081d8e2961a83d5dfe64d8f4c0399 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 9 Nov 2015 10:53:02 +0100 Subject: [PATCH] cert renewal: make renewal of ipaCert atomic This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 Reviewed-By: David Kupka --- install/restart_scripts/Makefile.am | 1 + install/restart_scripts/renew_ra_cert | 5 ++++- install/restart_scripts/renew_ra_cert_pre | 18 ++++++++++++++++++ ipaserver/install/cainstance.py | 2 +- ipaserver/install/server/upgrade.py | 4 ++-- 5 files changed, 26 insertions(+), 4 deletions(-) create mode 100755 install/restart_scripts/renew_ra_cert_pre diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am index 58057aa3198c892fc8ebb0df403495566ed77d1d..c4bf8195ea85ee0a9dba53fc2581e90c18a9127d 100644 --- a/install/restart_scripts/Makefile.am +++ b/install/restart_scripts/Makefile.am @@ -7,6 +7,7 @@ app_DATA = \ renew_ca_cert \ renew_ra_cert \ stop_pkicad \ + renew_ra_cert_pre \ $(NULL) EXTRA_DIST = \ diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 3a36f739ae53391e502356f7b6b4fd96a536c3a6..988ada946aed47d1f2b76c1add48ea8c8d64a161 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -77,8 +77,11 @@ def _main(): def main(): - with certs.renewal_lock: + try: _main() + finally: + # lock acquired in renew_ra_cert_pre + certs.renewal_lock.release('renew_ra_cert') try: diff --git a/install/restart_scripts/renew_ra_cert_pre b/install/restart_scripts/renew_ra_cert_pre new file mode 100755 index 0000000000000000000000000000000000000000..d0f743c099162e4c5afd7d96287e58492246db35 --- /dev/null +++ b/install/restart_scripts/renew_ra_cert_pre @@ -0,0 +1,18 @@ +#!/usr/bin/python2 -E +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +import syslog +import traceback + +from ipaserver.install import certs + + +def main(): + certs.renewal_lock.acquire('renew_ra_cert') + +try: + main() +except Exception: + syslog.syslog(syslog.LOG_ERR, traceback.format_exc()) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index dfe023c08c9b8d1b28f1659b7c5a6395f3afe879..d230c9bdcab68f02cce32a2aeb89ca3e2143eefe 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1305,7 +1305,7 @@ class CAInstance(DogtagInstance): pin=None, pinfile=paths.ALIAS_PWDFILE_TXT, secdir=paths.HTTPD_ALIAS_DIR, - pre_command=None, + pre_command='renew_ra_cert_pre', post_command='renew_ra_cert') except RuntimeError, e: self.log.error( diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index e0a45a097171613397db42e1c035f0d818a3ecf5..c8f744c392c7b859459bda63c1f397226553d4ba 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -799,7 +799,7 @@ def certificate_renewal_update(ca): dogtag_constants = dogtag.configured_constants() # bump version when requests is changed - version = 3 + version = 4 requests = ( ( dogtag_constants.ALIAS_DIR, @@ -837,7 +837,7 @@ def certificate_renewal_update(ca): paths.HTTPD_ALIAS_DIR, 'ipaCert', 'dogtag-ipa-ca-renew-agent', - None, + 'renew_ra_cert_pre', 'renew_ra_cert', None, ), -- 2.4.3