From 045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 2 Dec 2014 13:18:36 -0500 Subject: Use new certmonger locking to prevent NSS database corruption. dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322 --- install/restart_scripts/restart_pkicad | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) (limited to 'install/restart_scripts/restart_pkicad') diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad index 0b6040a9..a58c3f31 100644 --- a/install/restart_scripts/restart_pkicad +++ b/install/restart_scripts/restart_pkicad @@ -35,8 +35,16 @@ configured_constants = dogtag.configured_constants(api) alias_dir = configured_constants.ALIAS_DIR dogtag_instance = configured_constants.PKI_INSTANCE_NAME -syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % - (dogtag_instance, nickname)) +# dogtag opens its NSS database in read/write mode so we need it +# shut down so certmonger can open it read/write mode. This avoids +# database corruption. It should already be stopped by the pre-command +# but lets be sure. +if ipaservices.knownservices.pki_cad.is_running(dogtag_instance): + try: + ipaservices.knownservices.pki_cad.stop(dogtag_instance) + except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" % + (dogtag_instance, str(e))) # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': @@ -48,10 +56,13 @@ if nickname == 'auditSigningCert cert-pki-ca': db.run_certutil(args) try: - # I've seen times where systemd restart does not actually restart - # the process. A full stop/start is required. This works around that - ipaservices.knownservices.pki_cad.stop(dogtag_instance) - ipaservices.knownservices.pki_cad.start(dogtag_instance) + if configured_constants.DOGTAG_VERSION == 9: + ipaservices.knownservices.pki_cad.start(dogtag_instance) + else: + ipaservices.knownservices.pki_tomcatd.start(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % + syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" % (dogtag_instance, str(e))) +else: + syslog.syslog(syslog.LOG_NOTICE, "certmonger started %sd, nickname '%s'" % + (dogtag_instance, nickname)) -- cgit