From 19494c2409d40fc25387ddafe94c59ef09f68a86 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 6 Jan 2015 13:08:54 +0000 Subject: [PATCH] Restart dogtag when its server certificate is renewed https://fedorahosted.org/freeipa/ticket/4803 Reviewed-By: David Kupka --- install/tools/ipa-upgradeconfig | 6 +++--- ipaserver/install/cainstance.py | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 005f3a72df115e63c81a7ca8825fb12cac0a5f81..b00161d58418d6205c0ba0db0260af272ec96130 100755 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -778,7 +778,7 @@ def certificate_renewal_update(ca): dogtag_constants = dogtag.configured_constants() # bump version when requests is changed - version = 2 + version = 3 requests = ( ( dogtag_constants.ALIAS_DIR, @@ -824,8 +824,8 @@ def certificate_renewal_update(ca): dogtag_constants.ALIAS_DIR, 'Server-Cert cert-pki-ca', 'dogtag-ipa-renew-agent', - None, - None, + 'stop_pkicad', + 'renew_ca_cert', None, ), ) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index ac494917744ce0fa2d8e38ce5ce9dab6b24bdebf..aac7f4c7ccbad5a68bfd9756c7f7638416e3f6a0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1534,16 +1534,17 @@ class CAInstance(service.Service): done by the renewal script, renew_ca_cert once all the subsystem certificates are renewed. """ + nickname = 'Server-Cert cert-pki-ca' pin = self.__get_ca_pin() try: certmonger.dogtag_start_tracking( ca='dogtag-ipa-renew-agent', - nickname='Server-Cert cert-pki-ca', + nickname=nickname, pin=pin, pinfile=None, secdir=self.dogtag_constants.ALIAS_DIR, - pre_command=None, - post_command=None) + pre_command='stop_pkicad', + post_command='renew_ca_cert "%s"' % nickname) except RuntimeError, e: root_logger.error( "certmonger failed to start tracking certificate: %s" % e) -- 2.1.0