diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2014-08-08 16:09:42 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-09-06 19:09:18 -0400 |
| commit | 0f81268ec4a006625c8286ac7c6f5fed5aab7346 (patch) | |
| tree | 849b599137a4e88f9c364c9867b08977c12d516a /install/restart_scripts | |
| parent | f33adf22f80ebcdc0a17d732af99e0529df654f2 (diff) | |
| download | freeipa-0f81268ec4a006625c8286ac7c6f5fed5aab7346.tar.gz freeipa-0f81268ec4a006625c8286ac7c6f5fed5aab7346.tar.xz freeipa-0f81268ec4a006625c8286ac7c6f5fed5aab7346.zip | |
Fix some restart script issues found with certificate renewal.
The restart_dirsrv script wasn't initializing the api so the
startup_timeout wasn't available.
The subsystemCert cert-pki-ca definition was missing so we didn't
know which certificate to update in CS.cfg.
Add some documentation and a pause between restarts for the
renew_ca_cert script so that when the CA subsystem certs are renewed
they don't all try to restart the CA at the same time.
https://fedorahosted.org/freeipa/ticket/3006
Diffstat (limited to 'install/restart_scripts')
| -rw-r--r-- | install/restart_scripts/renew_ca_cert | 16 | ||||
| -rw-r--r-- | install/restart_scripts/restart_dirsrv | 4 |
2 files changed, 19 insertions, 1 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index e4374eca5..6e4d2b789 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -25,6 +25,8 @@ import shutil import tempfile import krbV import syslog +import random +import time from ipalib import api from ipapython.dn import DN from ipalib import errors @@ -34,6 +36,10 @@ from ipaserver.install import certs from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.cainstance import update_cert_config +# This script a post-cert-install command for certmonger. When certmonger +# has renewed a CA subsystem certificate a copy is put into the replicated +# tree so it can be shared with the other IPA servers. + nickname = sys.argv[1] api.bootstrap(context='restart') @@ -85,8 +91,16 @@ if nickname == 'auditSigningCert cert-pki-ca': update_cert_config(nickname, cert) -syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca') +syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname) +# We monitor 3 certs that are all likely to be renewed by certmonger more or +# less at the same time. Each cert renewal is going to need to restart +# the CA. Add a bit of randomness in this so not all three try to start it +# at the same time. A restart is needed for each because there is no guarantee +# that they will all be renewed at the same time. +pause = random.randint(10,360) +syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause) +time.sleep(pause) try: ipaservices.knownservices.pki_cad.restart('pki-ca') except Exception, e: diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index d6bbbbc3f..a9bb897ba 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -22,12 +22,16 @@ import sys import syslog from ipapython import services as ipaservices +from ipalib import api try: instance = sys.argv[1] except IndexError: instance = "" +api.bootstrap(context='restart') +api.finalize() + syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) try: |