diff options
| author | Florence Blanc-Renaud <flo@redhat.com> | 2016-11-10 13:14:34 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-11-16 09:10:01 +0100 |
| commit | 198cd5fab3937fd8948bea4b4949e30db4e490a4 (patch) | |
| tree | dd1c924e9b61b5fdafc63cd4ad4db0ba38a895c5 /install | |
| parent | 4b3bd5424246d8386a33a73f9a98c6958823093e (diff) | |
| download | freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.tar.gz freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.tar.xz freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.zip | |
Fix renewal lock issues on installation
- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.
- Modify certmonger renewal script: restart the http/dirsrv services
only if they were already running
- Cleanup certmonger ra renewal script: no need to restart httpd
- Reorder during http install: request the SSL cert before adding
ipa-service-guard
Rationale: when a CA helper is modified, certmonger launches the helper
with various operations (FETCH_ROOTS, ...) If the CA helper is once again
modified, the on-going helper is killed. This can lead to
ipa-service-guard being killed and not releasing the renew lock.
If the SSL cert is requested with IPA helper before ipa-service-guard is added,
we avoid this locking issue.
Part of the refactoring effort, certificates sub-effort.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Diffstat (limited to 'install')
| -rw-r--r-- | install/restart_scripts/renew_ra_cert | 10 | ||||
| -rw-r--r-- | install/restart_scripts/restart_dirsrv | 3 | ||||
| -rw-r--r-- | install/restart_scripts/restart_httpd | 3 |
3 files changed, 4 insertions, 12 deletions
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index d71d6e2ac..40ef7289b 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -30,7 +30,6 @@ import traceback from ipapython import ipautil from ipalib import api from ipaserver.install import certs, cainstance, krainstance -from ipaplatform import services from ipaplatform.paths import paths @@ -68,15 +67,6 @@ def _main(): shutil.rmtree(tmpdir) api.Backend.ldap2.disconnect() - # Now restart Apache so the new certificate is available - syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd") - try: - services.knownservices.httpd.restart() - except Exception as e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % e) - else: - syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd") - def main(): try: diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index a8e78184f..72d3c544b 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -39,7 +39,8 @@ def _main(): syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) try: - services.knownservices.dirsrv.restart(instance) + if services.knownservices.dirsrv.is_running(): + services.knownservices.dirsrv.restart(instance) except Exception as e: syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e))) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index 50348d4ef..d16848129 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -29,7 +29,8 @@ def _main(): syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: - services.knownservices.httpd.restart() + if services.knownservices.httpd.is_running(): + services.knownservices.httpd.restart() except Exception as e: syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) |