Use new certmonger locking to prevent NSS database corruption.

dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.

Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.

Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.

https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322

1 files changed, 53 insertions, 1 deletions

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index f672bbd8..8ec6248b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -493,6 +493,53 @@ def enable_certificate_renewal(ca):
 
     return False
 
+def certificate_renewal_stop_ca(ca):
+    """
+    Validate the certmonger configuration on certificates that already
+    have renewal configured.
+
+    As of certmonger 0.65 it now does locking from the point where it
+    generates the CSR to the end of the post-command. This is to ensure
+    that only one certmonger renewal, and hopefully, one process at a
+    time holds the NSS database open in read/write.
+    """
+    root_logger.info('[Certificate renewal should stop the CA]')
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
+    nss_dir = dogtag.configured_constants().ALIAS_DIR
+    # Using the nickname find the certmonger request_id
+    criteria = (('cert_storage_location', nss_dir, certmonger.NPATH),('cert_nickname', 'auditSigningCert cert-pki-ca', None))
+    id = certmonger.get_request_id(criteria)
+    if id is None:
+        root_logger.error('Unable to find certmonger request ID for auditSigning Cert')
+        return False
+
+    if sysupgrade.get_upgrade_state('dogtag', 'stop_ca_during_renewal'):
+        return False
+
+    # State not set, lets see if we are already configured
+    pre_command = certmonger.get_request_value(id, 'pre_certsave_command')
+    if pre_command is not None:
+        if pre_command.strip().endswith('stop_pkicad'):
+            root_logger.info('Already configured to stop CA')
+            return False
+
+    # Ok, now we need to stop tracking, then we can start tracking them
+    # again with new configuration:
+    cainstance.stop_tracking_certificates(dogtag.configured_constants())
+    if ca.is_master():
+        ca.configure_renewal()
+    else:
+        ca.configure_certmonger_renewal()
+        ca.configure_clone_renewal()
+        ca.configure_agent_renewal()
+    ca.track_servercert()
+    sysupgrade.set_upgrade_state('dogtag', 'stop_ca_during_renewal', True)
+    root_logger.debug('CA subsystem certificate renewal configured to stop the CA')
+    return True
+
 def copy_crl_file(old_path, new_path=None):
     """
     Copy CRL to new location, update permissions and SELinux context
@@ -711,7 +758,12 @@ def main():
             bind.restart()
         except ipautil.CalledProcessError, e:
             root_logger.error("Failed to restart %s: %s", bind.service_name, e)
-    ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn)
+    ca_restart = any([
+        ca_restart,
+        enable_certificate_renewal(ca),
+        upgrade_ipa_profile(ca, api.env.domain, fqdn),
+        certificate_renewal_stop_ca(ca),
+    ])
 
     if ca_restart:
         root_logger.info('pki-ca configuration changed, restart pki-ca')