diff options
author | Rob Crittenden <rcritten@redhat.com> | 2014-12-02 13:18:36 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-29 11:16:38 -0500 |
commit | 045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19 (patch) | |
tree | ba63a832f67c4c9a8ceee62669b52dd37a853680 /install/restart_scripts/renew_ca_cert | |
parent | b382a77fc393a078ebbba8000284dd9abe75a3d5 (diff) | |
download | freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.gz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.xz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.zip |
Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
Diffstat (limited to 'install/restart_scripts/renew_ca_cert')
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 38 |
1 files changed, 20 insertions, 18 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 5317835fc..b7e4ebaae 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -34,8 +34,10 @@ from ipapython import services as ipaservices from ipapython import ipautil from ipapython import dogtag from ipaserver.install import certs +from ipaserver.install.cainstance import update_people_entry from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.cainstance import update_cert_config +from ipapython import certmonger # This script a post-cert-install command for certmonger. When certmonger # has renewed a CA subsystem certificate a copy is put into the replicated @@ -82,8 +84,13 @@ except Exception, e: finally: shutil.rmtree(tmpdir) -# Fix permissions on the audit cert if we're updating it +update_cert_config(nickname, cert) + +if nickname == 'subsystemCert cert-pki-ca': + update_people_entry('pkidbuser', cert) + if nickname == 'auditSigningCert cert-pki-ca': + # Fix trust on the audit cert db = certs.CertDB(api.env.realm, nssdir=alias_dir) args = ['-M', '-n', nickname, @@ -91,25 +98,20 @@ if nickname == 'auditSigningCert cert-pki-ca': ] try: db.run_certutil(args) + syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir)) except ipautil.CalledProcessError: - syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) - -update_cert_config(nickname, cert) - -syslog.syslog( - syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' % - (dogtag_instance, dogtag_instance, nickname)) + syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) -# We monitor 3 certs that are all likely to be renewed by certmonger more or -# less at the same time. Each cert renewal is going to need to restart -# the CA. Add a bit of randomness in this so not all three try to start it -# at the same time. A restart is needed for each because there is no guarantee -# that they will all be renewed at the same time. -pause = random.randint(10,360) -syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause) -time.sleep(pause) +# Now we can start the CA. Using the ipaservices start should fire +# off the servlet to verify that the CA is actually up and responding so +# when this returns it should be good-to-go. The CA was stopped in the +# pre-save state. +syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance) try: - ipaservices.knownservices.pki_cad.restart(dogtag_instance) + if configured_constants.DOGTAG_VERSION == 9: + ipaservices.knownservices.pki_cad.start(dogtag_instance) + else: + ipaservices.knownservices.pki_tomcatd.start(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % + syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" % (dogtag_instance, str(e))) |