summaryrefslogtreecommitdiffstats
path: root/install/restart_scripts
diff options
context:
space:
mode:
Diffstat (limited to 'install/restart_scripts')
-rw-r--r--install/restart_scripts/renew_ca_cert50
1 files changed, 38 insertions, 12 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 69d79338d..3814b816a 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -97,21 +97,47 @@ def main():
syslog.LOG_ERR,
"Updating trust on certificate %s failed in %s" %
(nickname, db.secdir))
- elif nickname == 'caSigningCert cert-pki-ca' and ca.is_renewal_master():
- # Update CA certificate in LDAP
- try:
- conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
- conn.connect(ccache=ccache)
+ elif nickname == 'caSigningCert cert-pki-ca':
+ # Update CS.cfg
+ cfg_path = configured_constants.CS_CFG_PATH
+ config = installutils.get_directive(
+ cfg_path, 'subsystem.select', '=')
+ if config == 'New':
+ syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg")
+ if x509.is_self_signed(cert, x509.DER):
+ installutils.set_directive(
+ cfg_path, 'hierarchy.select', 'Root',
+ quotes=False, separator='=')
+ installutils.set_directive(
+ cfg_path, 'subsystem.count', '1',
+ quotes=False, separator='=')
+ else:
+ installutils.set_directive(
+ cfg_path, 'hierarchy.select', 'Subordinate',
+ quotes=False, separator='=')
+ installutils.set_directive(
+ cfg_path, 'subsystem.count', '0',
+ quotes=False, separator='=')
+ else:
+ syslog.syslog(syslog.LOG_NOTICE, "Not updating CS.cfg")
+ # Update CA certificate in LDAP
+ if ca.is_renewal_master():
try:
- certstore.update_ca_cert(conn, api.env.basedn, cert)
- except errors.EmptyModlist:
- pass
+ conn = ldap2(shared_instance=False,
+ ldap_uri=api.env.ldap_uri)
+ conn.connect(ccache=ccache)
- conn.disconnect()
- except Exception, e:
- syslog.syslog(
- syslog.LOG_ERR, "Updating CA certificate failed: %s" % e)
+ try:
+ certstore.update_ca_cert(conn, api.env.basedn, cert)
+ except errors.EmptyModlist:
+ pass
+
+ conn.disconnect()
+ except Exception, e:
+ syslog.syslog(
+ syslog.LOG_ERR,
+ "Updating CA certificate failed: %s" % e)
finally:
shutil.rmtree(tmpdir)