diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-10-16 09:00:44 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 16:54:55 +0100 |
commit | 2c466b79e80b8549831357b05891f3fb8dcbdaa0 (patch) | |
tree | aeff8478cada4dbc8d36649d385eab1818b54b6a /install/restart_scripts | |
parent | b5d082ec4d08712f8be5b56ea248133a76fd923a (diff) | |
download | freeipa-2c466b79e80b8549831357b05891f3fb8dcbdaa0.tar.gz freeipa-2c466b79e80b8549831357b05891f3fb8dcbdaa0.tar.xz freeipa-2c466b79e80b8549831357b05891f3fb8dcbdaa0.zip |
Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/restart_scripts')
-rw-r--r-- | install/restart_scripts/Makefile.am | 1 | ||||
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 41 | ||||
-rw-r--r-- | install/restart_scripts/restart_pkicad | 81 |
3 files changed, 31 insertions, 92 deletions
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am index fc45ecc88..58057aa31 100644 --- a/install/restart_scripts/Makefile.am +++ b/install/restart_scripts/Makefile.am @@ -4,7 +4,6 @@ appdir = $(libdir)/ipa/certmonger app_DATA = \ restart_dirsrv \ restart_httpd \ - restart_pkicad \ renew_ca_cert \ renew_ra_cert \ stop_pkicad \ diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 9b1b45d87..2663887d6 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -44,6 +44,23 @@ def main(): dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME] dogtag_instance = configured_constants.PKI_INSTANCE_NAME + # dogtag opens its NSS database in read/write mode so we need it + # shut down so certmonger can open it read/write mode. This avoids + # database corruption. It should already be stopped by the pre-command + # but lets be sure. + if dogtag_service.is_running(dogtag_instance): + syslog.syslog( + syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name) + try: + dogtag_service.stop(dogtag_instance) + except Exception, e: + syslog.syslog( + syslog.LOG_ERR, + "Cannot stop %s: %s" % (dogtag_service.service_name, e)) + else: + syslog.syslog( + syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name) + # Fetch the new certificate db = certs.CertDB(api.env.realm, nssdir=alias_dir) cert = db.get_cert_from_db(nickname, pem=False) @@ -51,22 +68,26 @@ def main(): syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) sys.exit(1) - # Done withing stopped_service context, CA restarted here cainstance.update_cert_config(nickname, cert, configured_constants) - cainstance.update_people_entry(cert) + + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + if ca.is_renewal_master(): + cainstance.update_people_entry(cert) if nickname == 'auditSigningCert cert-pki-ca': # Fix trust on the audit cert - db = certs.CertDB(api.env.realm, nssdir=alias_dir) - args = ['-M', - '-n', nickname, - '-t', 'u,u,Pu', - ] try: - db.run_certutil(args) - syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir)) + db.run_certutil(['-M', + '-n', nickname, + '-t', 'u,u,Pu']) + syslog.syslog( + syslog.LOG_NOTICE, + "Updated trust on certificate %s in %s" % (nickname, db.secdir)) except ipautil.CalledProcessError: - syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) + syslog.syslog( + syslog.LOG_ERR, + "Updating trust on certificate %s failed in %s" % + (nickname, db.secdir)) # Now we can start the CA. Using the ipaservices start should fire # off the servlet to verify that the CA is actually up and responding so diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad deleted file mode 100644 index 4e14577ae..000000000 --- a/install/restart_scripts/restart_pkicad +++ /dev/null @@ -1,81 +0,0 @@ -#!/usr/bin/python2 -E -# -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# -# Copyright (C) 2012 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import sys -import syslog -import traceback -from ipapython import services as ipaservices -from ipapython import dogtag -from ipaserver.install import certs -from ipalib import api - -def main(): - nickname = sys.argv[1] - - api.bootstrap(context='restart') - api.finalize() - - configured_constants = dogtag.configured_constants(api) - alias_dir = configured_constants.ALIAS_DIR - dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME] - dogtag_instance = configured_constants.PKI_INSTANCE_NAME - - # dogtag opens its NSS database in read/write mode so we need it - # shut down so certmonger can open it read/write mode. This avoids - # database corruption. It should already be stopped by the pre-command - # but lets be sure. - if dogtag_service.is_running(dogtag_instance): - syslog.syslog( - syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name) - try: - dogtag_service.stop(dogtag_instance) - except Exception, e: - syslog.syslog( - syslog.LOG_ERR, - "Cannot stop %s: %s" % (dogtag_service.service_name, e)) - else: - syslog.syslog( - syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name) - - # Fix permissions on the audit cert if we're updating it - if nickname == 'auditSigningCert cert-pki-ca': - db = certs.CertDB(api.env.realm, nssdir=alias_dir) - args = ['-M', - '-n', nickname, - '-t', 'u,u,Pu', - ] - db.run_certutil(args) - - syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name) - try: - dogtag_service.start(dogtag_instance) - except Exception, e: - syslog.syslog( - syslog.LOG_ERR, - "Cannot start %s: %s" % (dogtag_service.service_name, e)) - else: - syslog.syslog( - syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name) - -try: - main() -except Exception: - syslog.syslog(syslog.LOG_ERR, traceback.format_exc()) |