diff options
| author | Florence Blanc-Renaud <flo@redhat.com> | 2016-11-10 13:14:34 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-11-16 09:10:01 +0100 |
| commit | 198cd5fab3937fd8948bea4b4949e30db4e490a4 (patch) | |
| tree | dd1c924e9b61b5fdafc63cd4ad4db0ba38a895c5 | |
| parent | 4b3bd5424246d8386a33a73f9a98c6958823093e (diff) | |
| download | freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.tar.gz freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.tar.xz freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.zip | |
Fix renewal lock issues on installation
- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.
- Modify certmonger renewal script: restart the http/dirsrv services
only if they were already running
- Cleanup certmonger ra renewal script: no need to restart httpd
- Reorder during http install: request the SSL cert before adding
ipa-service-guard
Rationale: when a CA helper is modified, certmonger launches the helper
with various operations (FETCH_ROOTS, ...) If the CA helper is once again
modified, the on-going helper is killed. This can lead to
ipa-service-guard being killed and not releasing the renew lock.
If the SSL cert is requested with IPA helper before ipa-service-guard is added,
we avoid this locking issue.
Part of the refactoring effort, certificates sub-effort.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
| -rw-r--r-- | install/restart_scripts/renew_ra_cert | 10 | ||||
| -rw-r--r-- | install/restart_scripts/restart_dirsrv | 3 | ||||
| -rw-r--r-- | install/restart_scripts/restart_httpd | 3 | ||||
| -rw-r--r-- | ipaserver/install/httpinstance.py | 4 | ||||
| -rw-r--r-- | ipaserver/install/server/install.py | 9 |
5 files changed, 15 insertions, 14 deletions
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index d71d6e2ac..40ef7289b 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -30,7 +30,6 @@ import traceback from ipapython import ipautil from ipalib import api from ipaserver.install import certs, cainstance, krainstance -from ipaplatform import services from ipaplatform.paths import paths @@ -68,15 +67,6 @@ def _main(): shutil.rmtree(tmpdir) api.Backend.ldap2.disconnect() - # Now restart Apache so the new certificate is available - syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd") - try: - services.knownservices.httpd.restart() - except Exception as e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % e) - else: - syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd") - def main(): try: diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index a8e78184f..72d3c544b 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -39,7 +39,8 @@ def _main(): syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) try: - services.knownservices.dirsrv.restart(instance) + if services.knownservices.dirsrv.is_running(): + services.knownservices.dirsrv.restart(instance) except Exception as e: syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e))) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index 50348d4ef..d16848129 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -29,7 +29,8 @@ def _main(): syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: - services.knownservices.httpd.restart() + if services.knownservices.httpd.is_running(): + services.knownservices.httpd.restart() except Exception as e: syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 39d43f221..4e8107e1a 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -166,11 +166,11 @@ class HTTPInstance(service.Service): self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) + self.step("setting up httpd keytab", self._request_service_keytab) + self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: self.step("configure certmonger for renewals", self.configure_certmonger_renewal_guard) - self.step("setting up httpd keytab", self._request_service_keytab) - self.step("setting up ssl", self.__setup_ssl) self.step("importing CA certificates from LDAP", self.__import_ca_certs) self.step("publish CA cert", self.__publish_ca_cert) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 091992a27..b8a46f5c1 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -4,6 +4,7 @@ from __future__ import print_function +import errno import os import pickle import shutil @@ -1118,6 +1119,14 @@ def uninstall(installer): ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s' % ', '.join(ids)) + # Remove the cert renewal lock file + try: + os.remove(paths.IPA_RENEWAL_LOCK) + except OSError as e: + if e.errno != errno.ENOENT: + root_logger.warning("Failed to remove file %s: %s", + paths.IPA_RENEWAL_LOCK, e) + print("Removing IPA client configuration") try: result = run([paths.IPA_CLIENT_INSTALL, "--on-master", |