From 23be08572d9e7b133860044c7bf1ba70ae7a9340 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 8 Aug 2014 16:09:42 -0400 Subject: Fix some restart script issues found with certificate renewal. The restart_dirsrv script wasn't initializing the api so the startup_timeout wasn't available. The subsystemCert cert-pki-ca definition was missing so we didn't know which certificate to update in CS.cfg. Add some documentation and a pause between restarts for the renew_ca_cert script so that when the CA subsystem certs are renewed they don't all try to restart the CA at the same time. https://fedorahosted.org/freeipa/ticket/3006 --- install/restart_scripts/renew_ca_cert | 16 +++++++++++++++- install/restart_scripts/restart_dirsrv | 4 ++++ 2 files changed, 19 insertions(+), 1 deletion(-) (limited to 'install') diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index e4374eca..6e4d2b78 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -25,6 +25,8 @@ import shutil import tempfile import krbV import syslog +import random +import time from ipalib import api from ipapython.dn import DN from ipalib import errors @@ -34,6 +36,10 @@ from ipaserver.install import certs from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.cainstance import update_cert_config +# This script a post-cert-install command for certmonger. When certmonger +# has renewed a CA subsystem certificate a copy is put into the replicated +# tree so it can be shared with the other IPA servers. + nickname = sys.argv[1] api.bootstrap(context='restart') @@ -85,8 +91,16 @@ if nickname == 'auditSigningCert cert-pki-ca': update_cert_config(nickname, cert) -syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca') +syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname) +# We monitor 3 certs that are all likely to be renewed by certmonger more or +# less at the same time. Each cert renewal is going to need to restart +# the CA. Add a bit of randomness in this so not all three try to start it +# at the same time. A restart is needed for each because there is no guarantee +# that they will all be renewed at the same time. +pause = random.randint(10,360) +syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause) +time.sleep(pause) try: ipaservices.knownservices.pki_cad.restart('pki-ca') except Exception, e: diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index d6bbbbc3..a9bb897b 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -22,12 +22,16 @@ import sys import syslog from ipapython import services as ipaservices +from ipalib import api try: instance = sys.argv[1] except IndexError: instance = "" +api.bootstrap(context='restart') +api.finalize() + syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) try: -- cgit