diff options
author | Florence Blanc-Renaud <flo@redhat.com> | 2016-11-10 13:14:34 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-11-16 09:10:01 +0100 |
commit | 198cd5fab3937fd8948bea4b4949e30db4e490a4 (patch) | |
tree | dd1c924e9b61b5fdafc63cd4ad4db0ba38a895c5 /ipaserver/install/httpinstance.py | |
parent | 4b3bd5424246d8386a33a73f9a98c6958823093e (diff) | |
download | freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.tar.gz freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.tar.xz freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.zip |
Fix renewal lock issues on installation
- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.
- Modify certmonger renewal script: restart the http/dirsrv services
only if they were already running
- Cleanup certmonger ra renewal script: no need to restart httpd
- Reorder during http install: request the SSL cert before adding
ipa-service-guard
Rationale: when a CA helper is modified, certmonger launches the helper
with various operations (FETCH_ROOTS, ...) If the CA helper is once again
modified, the on-going helper is killed. This can lead to
ipa-service-guard being killed and not releasing the renew lock.
If the SSL cert is requested with IPA helper before ipa-service-guard is added,
we avoid this locking issue.
Part of the refactoring effort, certificates sub-effort.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Diffstat (limited to 'ipaserver/install/httpinstance.py')
-rw-r--r-- | ipaserver/install/httpinstance.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 39d43f221..4e8107e1a 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -166,11 +166,11 @@ class HTTPInstance(service.Service): self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) + self.step("setting up httpd keytab", self._request_service_keytab) + self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: self.step("configure certmonger for renewals", self.configure_certmonger_renewal_guard) - self.step("setting up httpd keytab", self._request_service_keytab) - self.step("setting up ssl", self.__setup_ssl) self.step("importing CA certificates from LDAP", self.__import_ca_certs) self.step("publish CA cert", self.__publish_ca_cert) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) |