diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-01-23 15:33:26 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-10 18:41:10 +0100 |
commit | 8e986904096925fc08df8cbdf271d722314c5460 (patch) | |
tree | ad4fca6b98f049a26df5620eb7691d6a491aea3a /install/restart_scripts/renew_ra_cert | |
parent | d727599aa804aecd91de969a9309c1903d0cfdce (diff) | |
download | freeipa-8e986904096925fc08df8cbdf271d722314c5460.tar.gz freeipa-8e986904096925fc08df8cbdf271d722314c5460.tar.xz freeipa-8e986904096925fc08df8cbdf271d722314c5460.zip |
Log unhandled exceptions in certificate renewal scripts.
https://fedorahosted.org/freeipa/ticket/4093
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/restart_scripts/renew_ra_cert')
-rw-r--r-- | install/restart_scripts/renew_ra_cert | 105 |
1 files changed, 56 insertions, 49 deletions
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index cb3e3683b..0d731144b 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -24,6 +24,7 @@ import shutil import tempfile import syslog import time +import traceback from ipapython import services as ipaservices from ipapython import ipautil from ipaserver.install import certs @@ -33,60 +34,66 @@ from ipapython.dn import DN from ipalib import errors from ipaserver.plugins.ldap2 import ldap2 -api.bootstrap(context='restart') -api.finalize() +def main(): + api.bootstrap(context='restart') + api.finalize() -# Fetch the new certificate -db = certs.CertDB(api.env.realm) -dercert = db.get_cert_from_db('ipaCert', pem=False) + # Fetch the new certificate + db = certs.CertDB(api.env.realm) + dercert = db.get_cert_from_db('ipaCert', pem=False) -# Load it into dogtag -update_people_entry('ipara', dercert) + # Load it into dogtag + update_people_entry('ipara', dercert) -attempts = 0 -updated = False + attempts = 0 + updated = False -# Store it in the IPA LDAP server -while attempts < 10: - conn = None - tmpdir = None - try: - tmpdir = tempfile.mkdtemp(prefix="tmp-") - dn = DN(('cn','ipaCert'), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) - principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) - conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) - conn.connect(ccache=ccache) + # Store it in the IPA LDAP server + while attempts < 10: + conn = None + tmpdir = None try: - entry_attrs = conn.get_entry(dn, ['usercertificate']) - entry_attrs['usercertificate'] = dercert - conn.update_entry(entry_attrs) - except errors.NotFound: - entry_attrs = conn.make_entry( - dn, - objectclass=['top', 'pkiuser', 'nscontainer'], - usercertificate=[dercert]) - conn.add_entry(entry_attrs) - except errors.EmptyModlist: - pass - updated = True - break - except Exception, e: - syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s. Sleeping 30s' % e) - time.sleep(30) - attempts += 1 - finally: - if conn is not None and conn.isconnected(): - conn.disconnect() - if tmpdir is not None: - shutil.rmtree(tmpdir) + tmpdir = tempfile.mkdtemp(prefix="tmp-") + dn = DN(('cn','ipaCert'), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + try: + entry_attrs = conn.get_entry(dn, ['usercertificate']) + entry_attrs['usercertificate'] = dercert + conn.update_entry(entry_attrs) + except errors.NotFound: + entry_attrs = conn.make_entry( + dn, + objectclass=['top', 'pkiuser', 'nscontainer'], + usercertificate=[dercert]) + conn.add_entry(entry_attrs) + except errors.EmptyModlist: + pass + updated = True + break + except Exception, e: + syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s. Sleeping 30s' % e) + time.sleep(30) + attempts += 1 + finally: + if conn is not None and conn.isconnected(): + conn.disconnect() + if tmpdir is not None: + shutil.rmtree(tmpdir) + + if not updated: + syslog.syslog(syslog.LOG_ERR, '%s: Giving up. This script may be safely re-executed.' % sys.argv[0]) + sys.exit(1) -if not updated: - syslog.syslog(syslog.LOG_ERR, '%s: Giving up. This script may be safely re-executed.' % sys.argv[0]) - sys.exit(1) + # Now restart Apache so the new certificate is available + try: + ipaservices.knownservices.httpd.restart() + except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) -# Now restart Apache so the new certificate is available try: - ipaservices.knownservices.httpd.restart() -except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) + main() +except Exception: + syslog.syslog(syslog.LOG_ERR, traceback.format_exc()) |