Fix some restart script issues found with certificate renewal.

The restart_dirsrv script wasn't initializing the api so the
startup_timeout wasn't available.

The subsystemCert cert-pki-ca definition was missing so we didn't
know which certificate to update in CS.cfg.

Add some documentation and a pause between restarts for the
renew_ca_cert script so that when the CA subsystem certs are renewed
they don't all try to restart the CA at the same time.

https://fedorahosted.org/freeipa/ticket/3006

3 files changed, 20 insertions, 1 deletions

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index e4374eca5..6e4d2b789 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -25,6 +25,8 @@ import shutil
 import tempfile
 import krbV
 import syslog
+import random
+import time
 from ipalib import api
 from ipapython.dn import DN
 from ipalib import errors
@@ -34,6 +36,10 @@ from ipaserver.install import certs
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install.cainstance import update_cert_config
 
+# This script a post-cert-install command for certmonger. When certmonger
+# has renewed a CA subsystem certificate a copy is put into the replicated
+# tree so it can be shared with the other IPA servers.
+
 nickname = sys.argv[1]
 
 api.bootstrap(context='restart')
@@ -85,8 +91,16 @@ if nickname == 'auditSigningCert cert-pki-ca':
 
 update_cert_config(nickname, cert)
 
-syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca')
+syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname)
 
+# We monitor 3 certs that are all likely to be renewed by certmonger more or
+# less at the same time. Each cert renewal is going to need to restart
+# the CA. Add a bit of randomness in this so not all three try to start it
+# at the same time. A restart is needed for each because there is no guarantee
+# that they will all be renewed at the same time.
+pause = random.randint(10,360)
+syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause)
+time.sleep(pause)
 try:
     ipaservices.knownservices.pki_cad.restart('pki-ca')
 except Exception, e:
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
index d6bbbbc3f..a9bb897ba 100644
--- a/install/restart_scripts/restart_dirsrv
+++ b/install/restart_scripts/restart_dirsrv
@@ -22,12 +22,16 @@
 import sys
 import syslog
 from ipapython import services as ipaservices
+from ipalib import api
 
 try:
     instance = sys.argv[1]
 except IndexError:
     instance = ""
 
+api.bootstrap(context='restart')
+api.finalize()
+
 syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
 
 try:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b00ceeaed..1d953757c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1320,6 +1320,7 @@ def update_cert_config(nickname, cert):
     directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
                   'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
                   'caSigningCert cert-pki-ca': 'ca.signing.cert',
+                  'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
                   'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
 
     installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME,