Log unhandled exceptions in certificate renewal scripts.

https://fedorahosted.org/freeipa/ticket/4093 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-01-23 15:33:26 +0100
committer: Petr Viktorin <pviktori@redhat.com> 2014-03-10 18:41:10 +0100
commit: 8e986904096925fc08df8cbdf271d722314c5460 (patch)
tree: ad4fca6b98f049a26df5620eb7691d6a491aea3a /install/restart_scripts/renew_ca_cert
parent: d727599aa804aecd91de969a9309c1903d0cfdce (diff)
download: freeipa-8e986904096925fc08df8cbdf271d722314c5460.tar.gz
freeipa-8e986904096925fc08df8cbdf271d722314c5460.tar.xz
freeipa-8e986904096925fc08df8cbdf271d722314c5460.zip
1 files changed, 72 insertions, 65 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 09acfc236..2ae869db9 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -26,6 +26,7 @@ import tempfile
 import syslog
 import random
 import time
+import traceback
 from ipalib import api
 from ipapython.dn import DN
 from ipalib import errors
@@ -42,80 +43,86 @@ from ipapython import certmonger
 # has renewed a CA subsystem certificate a copy is put into the replicated
 # tree so it can be shared with the other IPA servers.
 
-nickname = sys.argv[1]
+def main():
+    nickname = sys.argv[1]
 
-api.bootstrap(context='restart')
-api.finalize()
+    api.bootstrap(context='restart')
+    api.finalize()
 
-configured_constants = dogtag.configured_constants(api)
-alias_dir = configured_constants.ALIAS_DIR
-dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
-dogtag_instance = configured_constants.PKI_INSTANCE_NAME
+    configured_constants = dogtag.configured_constants(api)
+    alias_dir = configured_constants.ALIAS_DIR
+    dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
+    dogtag_instance = configured_constants.PKI_INSTANCE_NAME
 
-# Fetch the new certificate
-db = certs.CertDB(api.env.realm, nssdir=alias_dir)
-cert = db.get_cert_from_db(nickname, pem=False)
+    # Fetch the new certificate
+    db = certs.CertDB(api.env.realm, nssdir=alias_dir)
+    cert = db.get_cert_from_db(nickname, pem=False)
 
-if not cert:
-    syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
-    sys.exit(1)
+    if not cert:
+        syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
+        sys.exit(1)
 
-# Update or add it
-tmpdir = tempfile.mkdtemp(prefix = "tmp-")
-try:
-    dn = DN(('cn',nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
-    principal = str('host/%s@%s' % (api.env.host, api.env.realm))
-    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
-    conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
-    conn.connect(ccache=ccache)
+    # Update or add it
+    tmpdir = tempfile.mkdtemp(prefix = "tmp-")
     try:
-        entry_attrs = conn.get_entry(dn, ['usercertificate'])
-        entry_attrs['usercertificate'] = cert
-        conn.update_entry(entry_attrs)
-    except errors.NotFound:
-        entry_attrs = conn.make_entry(
-            dn,
-            objectclass=['top', 'pkiuser', 'nscontainer'],
-            usercertificate=[cert])
-        conn.add_entry(entry_attrs)
-    except errors.EmptyModlist:
-        pass
-    conn.disconnect()
-except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
-finally:
-    shutil.rmtree(tmpdir)
+        dn = DN(('cn',nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
+        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+        ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+        conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+        conn.connect(ccache=ccache)
+        try:
+            entry_attrs = conn.get_entry(dn, ['usercertificate'])
+            entry_attrs['usercertificate'] = cert
+            conn.update_entry(entry_attrs)
+        except errors.NotFound:
+            entry_attrs = conn.make_entry(
+                dn,
+                objectclass=['top', 'pkiuser', 'nscontainer'],
+                usercertificate=[cert])
+            conn.add_entry(entry_attrs)
+        except errors.EmptyModlist:
+            pass
+        conn.disconnect()
+    except Exception, e:
+        syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e)
+    finally:
+        shutil.rmtree(tmpdir)
 
-# Done withing stopped_service context, CA restarted here
-update_cert_config(nickname, cert)
+    # Done withing stopped_service context, CA restarted here
+    update_cert_config(nickname, cert)
 
-if nickname == 'subsystemCert cert-pki-ca':
-    update_people_entry('pkidbuser', cert)
+    if nickname == 'subsystemCert cert-pki-ca':
+        update_people_entry('pkidbuser', cert)
 
-if nickname == 'auditSigningCert cert-pki-ca':
-    # Fix trust on the audit cert
-    db = certs.CertDB(api.env.realm, nssdir=alias_dir)
-    args = ['-M',
-            '-n', nickname,
-            '-t', 'u,u,Pu',
-           ]
+    if nickname == 'auditSigningCert cert-pki-ca':
+        # Fix trust on the audit cert
+        db = certs.CertDB(api.env.realm, nssdir=alias_dir)
+        args = ['-M',
+                '-n', nickname,
+                '-t', 'u,u,Pu',
+               ]
+        try:
+            db.run_certutil(args)
+            syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir))
+        except ipautil.CalledProcessError:
+             syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
+
+    # Now we can start the CA. Using the ipaservices start should fire
+    # off the servlet to verify that the CA is actually up and responding so
+    # when this returns it should be good-to-go. The CA was stopped in the
+    # pre-save state.
+    syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
     try:
-        db.run_certutil(args)
-        syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir))
-    except ipautil.CalledProcessError:
-         syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
+        dogtag_service.start(dogtag_instance)
+    except Exception, e:
+        syslog.syslog(
+            syslog.LOG_ERR,
+            "Cannot start %s: %s" % (dogtag_service.service_name, e))
+    else:
+        syslog.syslog(
+            syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
 
-# Now we can start the CA. Using the ipaservices start should fire
-# off the servlet to verify that the CA is actually up and responding so
-# when this returns it should be good-to-go. The CA was stopped in the
-# pre-save state.
-syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
 try:
-    dogtag_service.start(dogtag_instance)
-except Exception, e:
-    syslog.syslog(
-        syslog.LOG_ERR,
-        "Cannot start %s: %s" % (dogtag_service.service_name, e))
-else:
-    syslog.syslog(
-        syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
+    main()
+except Exception:
+    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
author	Jan Cholasta <jcholast@redhat.com>	2014-01-23 15:33:26 +0100
committer	Petr Viktorin <pviktori@redhat.com>	2014-03-10 18:41:10 +0100
commit	8e986904096925fc08df8cbdf271d722314c5460 (patch)
tree	ad4fca6b98f049a26df5620eb7691d6a491aea3a /install/restart_scripts/renew_ca_cert
parent	d727599aa804aecd91de969a9309c1903d0cfdce (diff)
download	freeipa-8e986904096925fc08df8cbdf271d722314c5460.tar.gz freeipa-8e986904096925fc08df8cbdf271d722314c5460.tar.xz freeipa-8e986904096925fc08df8cbdf271d722314c5460.zip