freeipa.git/install/restart_scripts/renew_ra_cert, branch getkeytab

Merge restart_httpd functionality to renew_ra_cert.

2014-03-25T15:54:55+00:00

Reviewed-By: Petr Viktorin

Use dogtag-ipa-ca-renew-agent to track certificates on master CA.

2014-03-25T15:54:55+00:00

Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.

Reviewed-By: Petr Viktorin

Fix certificate renewal scripts to work with separate CA DS instance.

2014-03-25T15:54:54+00:00

https://fedorahosted.org/freeipa/ticket/3805

Reviewed-By: Petr Viktorin

Log unhandled exceptions in certificate renewal scripts.

2014-03-10T17:41:10+00:00

https://fedorahosted.org/freeipa/ticket/4093

Reviewed-By: Petr Viktorin

Convert remaining installer code to LDAPEntry API.

2014-01-24T19:29:31+00:00

Use /usr/bin/python2

2014-01-03T08:46:05+00:00

Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com

Remove support for DN normalization from LDAPClient.

2013-03-01T15:59:47+00:00

Remove some unused imports

2013-03-01T15:59:42+00:00

Remove all unused LDAP-related imports, plus some other ones.

This should make it easier to quickly check what uses which LDAP wrapper

Use new certmonger locking to prevent NSS database corruption.

2013-01-29T16:16:38+00:00

dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.

Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.

Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.

https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322

Wait for the directory server to come up when updating the agent certificate.

2012-11-01T17:36:52+00:00

It is possible that either or both of the LDAP instances are being restarted
during the renewal process. Make the script retry if this is the case.

It is also safe to re-run this script if it fails. It will take the current
ipaCert certificate and attempt to update the agent information in LDAP.

https://fedorahosted.org/freeipa/ticket/3179