diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-01-23 15:33:26 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-10 18:41:10 +0100 |
commit | 8e986904096925fc08df8cbdf271d722314c5460 (patch) | |
tree | ad4fca6b98f049a26df5620eb7691d6a491aea3a /install/restart_scripts/renew_ca_cert | |
parent | d727599aa804aecd91de969a9309c1903d0cfdce (diff) | |
download | freeipa-8e986904096925fc08df8cbdf271d722314c5460.tar.gz freeipa-8e986904096925fc08df8cbdf271d722314c5460.tar.xz freeipa-8e986904096925fc08df8cbdf271d722314c5460.zip |
Log unhandled exceptions in certificate renewal scripts.
https://fedorahosted.org/freeipa/ticket/4093
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/restart_scripts/renew_ca_cert')
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 137 |
1 files changed, 72 insertions, 65 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 09acfc236..2ae869db9 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -26,6 +26,7 @@ import tempfile import syslog import random import time +import traceback from ipalib import api from ipapython.dn import DN from ipalib import errors @@ -42,80 +43,86 @@ from ipapython import certmonger # has renewed a CA subsystem certificate a copy is put into the replicated # tree so it can be shared with the other IPA servers. -nickname = sys.argv[1] +def main(): + nickname = sys.argv[1] -api.bootstrap(context='restart') -api.finalize() + api.bootstrap(context='restart') + api.finalize() -configured_constants = dogtag.configured_constants(api) -alias_dir = configured_constants.ALIAS_DIR -dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME] -dogtag_instance = configured_constants.PKI_INSTANCE_NAME + configured_constants = dogtag.configured_constants(api) + alias_dir = configured_constants.ALIAS_DIR + dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME] + dogtag_instance = configured_constants.PKI_INSTANCE_NAME -# Fetch the new certificate -db = certs.CertDB(api.env.realm, nssdir=alias_dir) -cert = db.get_cert_from_db(nickname, pem=False) + # Fetch the new certificate + db = certs.CertDB(api.env.realm, nssdir=alias_dir) + cert = db.get_cert_from_db(nickname, pem=False) -if not cert: - syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) - sys.exit(1) + if not cert: + syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) + sys.exit(1) -# Update or add it -tmpdir = tempfile.mkdtemp(prefix = "tmp-") -try: - dn = DN(('cn',nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) - principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) - conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) - conn.connect(ccache=ccache) + # Update or add it + tmpdir = tempfile.mkdtemp(prefix = "tmp-") try: - entry_attrs = conn.get_entry(dn, ['usercertificate']) - entry_attrs['usercertificate'] = cert - conn.update_entry(entry_attrs) - except errors.NotFound: - entry_attrs = conn.make_entry( - dn, - objectclass=['top', 'pkiuser', 'nscontainer'], - usercertificate=[cert]) - conn.add_entry(entry_attrs) - except errors.EmptyModlist: - pass - conn.disconnect() -except Exception, e: - syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e) -finally: - shutil.rmtree(tmpdir) + dn = DN(('cn',nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + try: + entry_attrs = conn.get_entry(dn, ['usercertificate']) + entry_attrs['usercertificate'] = cert + conn.update_entry(entry_attrs) + except errors.NotFound: + entry_attrs = conn.make_entry( + dn, + objectclass=['top', 'pkiuser', 'nscontainer'], + usercertificate=[cert]) + conn.add_entry(entry_attrs) + except errors.EmptyModlist: + pass + conn.disconnect() + except Exception, e: + syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e) + finally: + shutil.rmtree(tmpdir) -# Done withing stopped_service context, CA restarted here -update_cert_config(nickname, cert) + # Done withing stopped_service context, CA restarted here + update_cert_config(nickname, cert) -if nickname == 'subsystemCert cert-pki-ca': - update_people_entry('pkidbuser', cert) + if nickname == 'subsystemCert cert-pki-ca': + update_people_entry('pkidbuser', cert) -if nickname == 'auditSigningCert cert-pki-ca': - # Fix trust on the audit cert - db = certs.CertDB(api.env.realm, nssdir=alias_dir) - args = ['-M', - '-n', nickname, - '-t', 'u,u,Pu', - ] + if nickname == 'auditSigningCert cert-pki-ca': + # Fix trust on the audit cert + db = certs.CertDB(api.env.realm, nssdir=alias_dir) + args = ['-M', + '-n', nickname, + '-t', 'u,u,Pu', + ] + try: + db.run_certutil(args) + syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir)) + except ipautil.CalledProcessError: + syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) + + # Now we can start the CA. Using the ipaservices start should fire + # off the servlet to verify that the CA is actually up and responding so + # when this returns it should be good-to-go. The CA was stopped in the + # pre-save state. + syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name) try: - db.run_certutil(args) - syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir)) - except ipautil.CalledProcessError: - syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) + dogtag_service.start(dogtag_instance) + except Exception, e: + syslog.syslog( + syslog.LOG_ERR, + "Cannot start %s: %s" % (dogtag_service.service_name, e)) + else: + syslog.syslog( + syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name) -# Now we can start the CA. Using the ipaservices start should fire -# off the servlet to verify that the CA is actually up and responding so -# when this returns it should be good-to-go. The CA was stopped in the -# pre-save state. -syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name) try: - dogtag_service.start(dogtag_instance) -except Exception, e: - syslog.syslog( - syslog.LOG_ERR, - "Cannot start %s: %s" % (dogtag_service.service_name, e)) -else: - syslog.syslog( - syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name) + main() +except Exception: + syslog.syslog(syslog.LOG_ERR, traceback.format_exc()) |