diff options
| author | Florence Blanc-Renaud <flo@redhat.com> | 2016-11-10 13:14:34 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-11-16 09:10:01 +0100 |
| commit | 198cd5fab3937fd8948bea4b4949e30db4e490a4 (patch) | |
| tree | dd1c924e9b61b5fdafc63cd4ad4db0ba38a895c5 /ipaserver | |
| parent | 4b3bd5424246d8386a33a73f9a98c6958823093e (diff) | |
| download | freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.tar.gz freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.tar.xz freeipa-198cd5fab3937fd8948bea4b4949e30db4e490a4.zip | |
Fix renewal lock issues on installation
- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.
- Modify certmonger renewal script: restart the http/dirsrv services
only if they were already running
- Cleanup certmonger ra renewal script: no need to restart httpd
- Reorder during http install: request the SSL cert before adding
ipa-service-guard
Rationale: when a CA helper is modified, certmonger launches the helper
with various operations (FETCH_ROOTS, ...) If the CA helper is once again
modified, the on-going helper is killed. This can lead to
ipa-service-guard being killed and not releasing the renew lock.
If the SSL cert is requested with IPA helper before ipa-service-guard is added,
we avoid this locking issue.
Part of the refactoring effort, certificates sub-effort.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/httpinstance.py | 4 | ||||
| -rw-r--r-- | ipaserver/install/server/install.py | 9 |
2 files changed, 11 insertions, 2 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 39d43f221..4e8107e1a 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -166,11 +166,11 @@ class HTTPInstance(service.Service): self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) + self.step("setting up httpd keytab", self._request_service_keytab) + self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: self.step("configure certmonger for renewals", self.configure_certmonger_renewal_guard) - self.step("setting up httpd keytab", self._request_service_keytab) - self.step("setting up ssl", self.__setup_ssl) self.step("importing CA certificates from LDAP", self.__import_ca_certs) self.step("publish CA cert", self.__publish_ca_cert) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 091992a27..b8a46f5c1 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -4,6 +4,7 @@ from __future__ import print_function +import errno import os import pickle import shutil @@ -1118,6 +1119,14 @@ def uninstall(installer): ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s' % ', '.join(ids)) + # Remove the cert renewal lock file + try: + os.remove(paths.IPA_RENEWAL_LOCK) + except OSError as e: + if e.errno != errno.ENOENT: + root_logger.warning("Failed to remove file %s: %s", + paths.IPA_RENEWAL_LOCK, e) + print("Removing IPA client configuration") try: result = run([paths.IPA_CLIENT_INSTALL, "--on-master", |