diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-10-16 09:00:44 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 16:54:55 +0100 |
commit | 2c466b79e80b8549831357b05891f3fb8dcbdaa0 (patch) | |
tree | aeff8478cada4dbc8d36649d385eab1818b54b6a /install/restart_scripts/renew_ca_cert | |
parent | b5d082ec4d08712f8be5b56ea248133a76fd923a (diff) | |
download | freeipa-2c466b79e80b8549831357b05891f3fb8dcbdaa0.tar.gz freeipa-2c466b79e80b8549831357b05891f3fb8dcbdaa0.tar.xz freeipa-2c466b79e80b8549831357b05891f3fb8dcbdaa0.zip |
Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/restart_scripts/renew_ca_cert')
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 41 |
1 files changed, 31 insertions, 10 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 9b1b45d87..2663887d6 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -44,6 +44,23 @@ def main(): dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME] dogtag_instance = configured_constants.PKI_INSTANCE_NAME + # dogtag opens its NSS database in read/write mode so we need it + # shut down so certmonger can open it read/write mode. This avoids + # database corruption. It should already be stopped by the pre-command + # but lets be sure. + if dogtag_service.is_running(dogtag_instance): + syslog.syslog( + syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name) + try: + dogtag_service.stop(dogtag_instance) + except Exception, e: + syslog.syslog( + syslog.LOG_ERR, + "Cannot stop %s: %s" % (dogtag_service.service_name, e)) + else: + syslog.syslog( + syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name) + # Fetch the new certificate db = certs.CertDB(api.env.realm, nssdir=alias_dir) cert = db.get_cert_from_db(nickname, pem=False) @@ -51,22 +68,26 @@ def main(): syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) sys.exit(1) - # Done withing stopped_service context, CA restarted here cainstance.update_cert_config(nickname, cert, configured_constants) - cainstance.update_people_entry(cert) + + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + if ca.is_renewal_master(): + cainstance.update_people_entry(cert) if nickname == 'auditSigningCert cert-pki-ca': # Fix trust on the audit cert - db = certs.CertDB(api.env.realm, nssdir=alias_dir) - args = ['-M', - '-n', nickname, - '-t', 'u,u,Pu', - ] try: - db.run_certutil(args) - syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir)) + db.run_certutil(['-M', + '-n', nickname, + '-t', 'u,u,Pu']) + syslog.syslog( + syslog.LOG_NOTICE, + "Updated trust on certificate %s in %s" % (nickname, db.secdir)) except ipautil.CalledProcessError: - syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) + syslog.syslog( + syslog.LOG_ERR, + "Updating trust on certificate %s failed in %s" % + (nickname, db.secdir)) # Now we can start the CA. Using the ipaservices start should fire # off the servlet to verify that the CA is actually up and responding so |