summaryrefslogtreecommitdiffstats
path: root/install/restart_scripts
diff options
context:
space:
mode:
Diffstat (limited to 'install/restart_scripts')
-rw-r--r--install/restart_scripts/renew_ca_cert16
-rw-r--r--install/restart_scripts/restart_dirsrv4
2 files changed, 19 insertions, 1 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index e4374eca5..6e4d2b789 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -25,6 +25,8 @@ import shutil
import tempfile
import krbV
import syslog
+import random
+import time
from ipalib import api
from ipapython.dn import DN
from ipalib import errors
@@ -34,6 +36,10 @@ from ipaserver.install import certs
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.cainstance import update_cert_config
+# This script a post-cert-install command for certmonger. When certmonger
+# has renewed a CA subsystem certificate a copy is put into the replicated
+# tree so it can be shared with the other IPA servers.
+
nickname = sys.argv[1]
api.bootstrap(context='restart')
@@ -85,8 +91,16 @@ if nickname == 'auditSigningCert cert-pki-ca':
update_cert_config(nickname, cert)
-syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca')
+syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname)
+# We monitor 3 certs that are all likely to be renewed by certmonger more or
+# less at the same time. Each cert renewal is going to need to restart
+# the CA. Add a bit of randomness in this so not all three try to start it
+# at the same time. A restart is needed for each because there is no guarantee
+# that they will all be renewed at the same time.
+pause = random.randint(10,360)
+syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause)
+time.sleep(pause)
try:
ipaservices.knownservices.pki_cad.restart('pki-ca')
except Exception, e:
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
index d6bbbbc3f..a9bb897ba 100644
--- a/install/restart_scripts/restart_dirsrv
+++ b/install/restart_scripts/restart_dirsrv
@@ -22,12 +22,16 @@
import sys
import syslog
from ipapython import services as ipaservices
+from ipalib import api
try:
instance = sys.argv[1]
except IndexError:
instance = ""
+api.bootstrap(context='restart')
+api.finalize()
+
syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
try:
generated by cgit (git 2.34.1) at 2024-05-19 14:58:23 +0000