Fix renewal lock issues on installation

- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.

- Modify certmonger renewal script: restart the http/dirsrv services
only if they were already running

- Cleanup certmonger ra renewal script: no need to restart httpd

- Reorder during http install: request the SSL cert before adding
ipa-service-guard
Rationale: when a CA helper is modified, certmonger launches the helper
with various operations (FETCH_ROOTS, ...) If the CA helper is once again
modified, the on-going helper is killed. This can lead to
ipa-service-guard being killed and not releasing the renew lock.

If the SSL cert is requested with IPA helper before ipa-service-guard is added,
we avoid this locking issue.

Part of the refactoring effort, certificates sub-effort.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

1 files changed, 0 insertions, 10 deletions

diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index d71d6e2ac..40ef7289b 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -30,7 +30,6 @@ import traceback
 from ipapython import ipautil
 from ipalib import api
 from ipaserver.install import certs, cainstance, krainstance
-from ipaplatform import services
 from ipaplatform.paths import paths
 
 
@@ -68,15 +67,6 @@ def _main():
         shutil.rmtree(tmpdir)
         api.Backend.ldap2.disconnect()
 
-    # Now restart Apache so the new certificate is available
-    syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd")
-    try:
-        services.knownservices.httpd.restart()
-    except Exception as e:
-        syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % e)
-    else:
-        syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd")
-
 
 def main():
     try: