diff options
| -rw-r--r-- | install/restart_scripts/renew_ca_cert | 16 | ||||
| -rw-r--r-- | install/restart_scripts/restart_dirsrv | 4 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 1 |
3 files changed, 20 insertions, 1 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index e4374eca..6e4d2b78 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -25,6 +25,8 @@ import shutil import tempfile import krbV import syslog +import random +import time from ipalib import api from ipapython.dn import DN from ipalib import errors @@ -34,6 +36,10 @@ from ipaserver.install import certs from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.cainstance import update_cert_config +# This script a post-cert-install command for certmonger. When certmonger +# has renewed a CA subsystem certificate a copy is put into the replicated +# tree so it can be shared with the other IPA servers. + nickname = sys.argv[1] api.bootstrap(context='restart') @@ -85,8 +91,16 @@ if nickname == 'auditSigningCert cert-pki-ca': update_cert_config(nickname, cert) -syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca') +syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname) +# We monitor 3 certs that are all likely to be renewed by certmonger more or +# less at the same time. Each cert renewal is going to need to restart +# the CA. Add a bit of randomness in this so not all three try to start it +# at the same time. A restart is needed for each because there is no guarantee +# that they will all be renewed at the same time. +pause = random.randint(10,360) +syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause) +time.sleep(pause) try: ipaservices.knownservices.pki_cad.restart('pki-ca') except Exception, e: diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index d6bbbbc3..a9bb897b 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -22,12 +22,16 @@ import sys import syslog from ipapython import services as ipaservices +from ipalib import api try: instance = sys.argv[1] except IndexError: instance = "" +api.bootstrap(context='restart') +api.finalize() + syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) try: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index b00ceeae..1d953757 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1320,6 +1320,7 @@ def update_cert_config(nickname, cert): directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert', 'caSigningCert cert-pki-ca': 'ca.signing.cert', + 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' } installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME, |