Use new certmonger locking to prevent NSS database corruption.

dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.

Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.

Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.

https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322

9 files changed, 274 insertions, 100 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 189c7b922..d875183e6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -112,7 +112,7 @@ Requires: python-memcached
 Requires: systemd-units >= 36-3
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.11.1-60
+Requires: selinux-policy >= 3.11.1-71
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.44
 Requires: pki-ca >= 10.0.0-0.54.b3
@@ -769,6 +769,12 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Tue Jan 29 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.99-13
+- Set certmonger minimum version to 0.65 for NSS locking during
+  renewal
+- Set selinux-policy to 3.11.1-73 so certmonger can run in post
+  scriptlet
+
 * Thu Jan 24 2013 Rob Crittenden <rcritten@redhat.com> - 3.0.99-12
 - Add certmonger condrestart to server post scriptlet
 - Make certmonger a (pre) Requires on the server subpackage
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
index 210c4863e..fc45ecc88 100644
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -7,6 +7,7 @@ app_DATA =                              \
 	restart_pkicad			\
 	renew_ca_cert			\
 	renew_ra_cert			\
+	stop_pkicad			\
 	$(NULL)
 
 EXTRA_DIST =                            \
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 5317835fc..b7e4ebaae 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -34,8 +34,10 @@ from ipapython import services as ipaservices
 from ipapython import ipautil
 from ipapython import dogtag
 from ipaserver.install import certs
+from ipaserver.install.cainstance import update_people_entry
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install.cainstance import update_cert_config
+from ipapython import certmonger
 
 # This script a post-cert-install command for certmonger. When certmonger
 # has renewed a CA subsystem certificate a copy is put into the replicated
@@ -82,8 +84,13 @@ except Exception, e:
 finally:
     shutil.rmtree(tmpdir)
 
-# Fix permissions on the audit cert if we're updating it
+update_cert_config(nickname, cert)
+
+if nickname == 'subsystemCert cert-pki-ca':
+    update_people_entry('pkidbuser', cert)
+
 if nickname == 'auditSigningCert cert-pki-ca':
+    # Fix trust on the audit cert
     db = certs.CertDB(api.env.realm, nssdir=alias_dir)
     args = ['-M',
             '-n', nickname,
@@ -91,25 +98,20 @@ if nickname == 'auditSigningCert cert-pki-ca':
            ]
     try:
         db.run_certutil(args)
+        syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir))
     except ipautil.CalledProcessError:
-        syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
-
-update_cert_config(nickname, cert)
-
-syslog.syslog(
-    syslog.LOG_NOTICE, 'certmonger restarted %sd instance %s to renew %s' %
-        (dogtag_instance, dogtag_instance, nickname))
+         syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
 
-# We monitor 3 certs that are all likely to be renewed by certmonger more or
-# less at the same time. Each cert renewal is going to need to restart
-# the CA. Add a bit of randomness in this so not all three try to start it
-# at the same time. A restart is needed for each because there is no guarantee
-# that they will all be renewed at the same time.
-pause = random.randint(10,360)
-syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause)
-time.sleep(pause)
+# Now we can start the CA. Using the ipaservices start should fire
+# off the servlet to verify that the CA is actually up and responding so
+# when this returns it should be good-to-go. The CA was stopped in the
+# pre-save state.
+syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance)
 try:
-    ipaservices.knownservices.pki_cad.restart(dogtag_instance)
+    if configured_constants.DOGTAG_VERSION == 9:
+        ipaservices.knownservices.pki_cad.start(dogtag_instance)
+    else:
+        ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" %
+    syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
                   (dogtag_instance, str(e)))
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index 1f359062b..a70ba5c1a 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -25,13 +25,11 @@ import tempfile
 import syslog
 import time
 from ipapython import services as ipaservices
-from ipapython.certmonger import get_pin
 from ipapython import ipautil
 from ipaserver.install import certs
-from ipaserver.install.cainstance import DEFAULT_DSPORT
+from ipaserver.install.cainstance import update_people_entry
 from ipalib import api
 from ipapython.dn import DN
-from ipalib import x509
 from ipalib import errors
 from ipaserver.plugins.ldap2 import ldap2
 import ldap as _ldap
@@ -41,52 +39,10 @@ api.finalize()
 
 # Fetch the new certificate
 db = certs.CertDB(api.env.realm)
-cert = db.get_cert_from_db('ipaCert', pem=False)
-serial_number = x509.get_serial_number(cert, datatype=x509.DER)
-subject = x509.get_subject(cert, datatype=x509.DER)
-issuer = x509.get_issuer(cert, datatype=x509.DER)
+dercert = db.get_cert_from_db('ipaCert', pem=False)
 
 # Load it into dogtag
-dn = DN(('uid','ipara'),('ou','People'),('o','ipaca'))
-
-try:
-    dm_password = get_pin('internaldb')
-except IOError, e:
-    syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
-    sys.exit(1)
-
-attempts = 0
-dogtag_uri='ldap://localhost:%d' % DEFAULT_DSPORT
-updated = False
-
-while attempts < 10:
-    conn = None
-    try:
-        conn = ldap2(shared_instance=False, ldap_uri=dogtag_uri)
-        conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
-        (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], normalize=False)
-        entry_attrs['usercertificate'].append(cert)
-        entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject)
-        conn.update_entry(dn, entry_attrs, normalize=False)
-        updated = True
-        break
-    except errors.NetworkError:
-        syslog.syslog(syslog.LOG_ERR, 'Connection to %s failed, sleeping 30s' % dogtag_uri)
-        time.sleep(30)
-        attempts += 1
-    except errors.EmptyModlist:
-        updated = True
-        break
-    except Exception, e:
-        syslog.syslog(syslog.LOG_ERR, 'Updating agent entry failed: %s' % e)
-        break
-    finally:
-        if conn.isconnected():
-            conn.disconnect()
-
-if not updated:
-    syslog.syslog(syslog.LOG_ERR, '%s: Giving up. This script may be safely re-executed.' % sys.argv[0])
-    sys.exit(1)
+update_people_entry('ipara', dercert)
 
 attempts = 0
 updated = False
@@ -104,11 +60,11 @@ while attempts < 10:
         conn.connect(ccache=ccache)
         try:
             (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
-            entry_attrs['usercertificate'] = cert
+            entry_attrs['usercertificate'] = dercert
             conn.update_entry(dn, entry_attrs, normalize=False)
         except errors.NotFound:
             entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
-                                            usercertificate=cert)
+                                            usercertificate=dercert)
             conn.add_entry(dn, entry_attrs, normalize=False)
         except errors.EmptyModlist:
             pass
diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad
index 0b6040a9d..a58c3f31e 100644
--- a/install/restart_scripts/restart_pkicad
+++ b/install/restart_scripts/restart_pkicad
@@ -35,8 +35,16 @@ configured_constants = dogtag.configured_constants(api)
 alias_dir = configured_constants.ALIAS_DIR
 dogtag_instance = configured_constants.PKI_INSTANCE_NAME
 
-syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" %
-              (dogtag_instance, nickname))
+# dogtag opens its NSS database in read/write mode so we need it
+# shut down so certmonger can open it read/write mode. This avoids
+# database corruption. It should already be stopped by the pre-command
+# but lets be sure.
+if ipaservices.knownservices.pki_cad.is_running(dogtag_instance):
+    try:
+        ipaservices.knownservices.pki_cad.stop(dogtag_instance)
+    except Exception, e:
+        syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
+                      (dogtag_instance, str(e)))
 
 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
@@ -48,10 +56,13 @@ if nickname == 'auditSigningCert cert-pki-ca':
     db.run_certutil(args)
 
 try:
-    # I've seen times where systemd restart does not actually restart
-    # the process. A full stop/start is required. This works around that
-    ipaservices.knownservices.pki_cad.stop(dogtag_instance)
-    ipaservices.knownservices.pki_cad.start(dogtag_instance)
+    if configured_constants.DOGTAG_VERSION == 9:
+        ipaservices.knownservices.pki_cad.start(dogtag_instance)
+    else:
+        ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" %
+    syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
                   (dogtag_instance, str(e)))
+else:
+    syslog.syslog(syslog.LOG_NOTICE, "certmonger started %sd, nickname '%s'" %
+                  (dogtag_instance, nickname))
diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad
new file mode 100644
index 000000000..f023b1bb9
--- /dev/null
+++ b/install/restart_scripts/stop_pkicad
@@ -0,0 +1,43 @@
+#!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import syslog
+from ipapython import services as ipaservices
+from ipapython import dogtag
+from ipalib import api
+
+api.bootstrap(context='restart')
+api.finalize()
+
+configured_constants = dogtag.configured_constants(api)
+dogtag_instance = configured_constants.PKI_INSTANCE_NAME
+
+syslog.syslog(syslog.LOG_NOTICE, "certmonger stopping %sd" % dogtag_instance)
+
+try:
+    if configured_constants.DOGTAG_VERSION == 9:
+        ipaservices.knownservices.pki_cad.start(dogtag_instance)
+    else:
+        ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
+                  (dogtag_instance, str(e)))
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index f672bbd8c..8ec6248b3 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -493,6 +493,53 @@ def enable_certificate_renewal(ca):
 
     return False
 
+def certificate_renewal_stop_ca(ca):
+    """
+    Validate the certmonger configuration on certificates that already
+    have renewal configured.
+
+    As of certmonger 0.65 it now does locking from the point where it
+    generates the CSR to the end of the post-command. This is to ensure
+    that only one certmonger renewal, and hopefully, one process at a
+    time holds the NSS database open in read/write.
+    """
+    root_logger.info('[Certificate renewal should stop the CA]')
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
+    nss_dir = dogtag.configured_constants().ALIAS_DIR
+    # Using the nickname find the certmonger request_id
+    criteria = (('cert_storage_location', nss_dir, certmonger.NPATH),('cert_nickname', 'auditSigningCert cert-pki-ca', None))
+    id = certmonger.get_request_id(criteria)
+    if id is None:
+        root_logger.error('Unable to find certmonger request ID for auditSigning Cert')
+        return False
+
+    if sysupgrade.get_upgrade_state('dogtag', 'stop_ca_during_renewal'):
+        return False
+
+    # State not set, lets see if we are already configured
+    pre_command = certmonger.get_request_value(id, 'pre_certsave_command')
+    if pre_command is not None:
+        if pre_command.strip().endswith('stop_pkicad'):
+            root_logger.info('Already configured to stop CA')
+            return False
+
+    # Ok, now we need to stop tracking, then we can start tracking them
+    # again with new configuration:
+    cainstance.stop_tracking_certificates(dogtag.configured_constants())
+    if ca.is_master():
+        ca.configure_renewal()
+    else:
+        ca.configure_certmonger_renewal()
+        ca.configure_clone_renewal()
+        ca.configure_agent_renewal()
+    ca.track_servercert()
+    sysupgrade.set_upgrade_state('dogtag', 'stop_ca_during_renewal', True)
+    root_logger.debug('CA subsystem certificate renewal configured to stop the CA')
+    return True
+
 def copy_crl_file(old_path, new_path=None):
     """
     Copy CRL to new location, update permissions and SELinux context
@@ -711,7 +758,12 @@ def main():
             bind.restart()
         except ipautil.CalledProcessError, e:
             root_logger.error("Failed to restart %s: %s", bind.service_name, e)
-    ca_restart = ca_restart or enable_certificate_renewal(ca) or upgrade_ipa_profile(ca, api.env.domain, fqdn)
+    ca_restart = any([
+        ca_restart,
+        enable_certificate_renewal(ca),
+        upgrade_ipa_profile(ca, api.env.domain, fqdn),
+        certificate_renewal_stop_ca(ca),
+    ])
 
     if ca_restart:
         root_logger.info('pki-ca configuration changed, restart pki-ca')
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index f29050ea9..d347c2aeb 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -261,7 +261,7 @@ def stop_tracking(secdir, request_id=None, nickname=None):
             # Fall back to trying to stop tracking using nickname
             pass
 
-    args = ['/usr/bin/ipa-getcert',
+    args = ['/usr/bin/getcert',
             'stop-tracking',
     ]
     if request_id:
@@ -368,7 +368,8 @@ def get_pin(token, dogtag_constants=None):
                 return pin.strip()
     return None
 
-def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
+def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
+                          post_command):
     """
     Tell certmonger to start tracking a dogtag CA certificate. These
     are handled differently because their renewal must be done directly
@@ -377,7 +378,10 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
     This uses the generic certmonger command getcert so we can specify
     a different helper.
 
-    command is the script to execute.
+    pre_command is the script to execute before a renewal is done.
+    post_command is the script to execute after a renewal is done.
+
+    Both commands can be None.
 
     Returns the stdout, stderr and returncode from running ipa-getcert
 
@@ -386,20 +390,32 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
     if not cert_exists(nickname, os.path.abspath(secdir)):
         raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))
 
-    if command is not None and not os.path.isabs(command):
-        if sys.maxsize > 2**32:
-            libpath = 'lib64'
-        else:
-            libpath = 'lib'
-        command = '/usr/%s/ipa/certmonger/%s' % (libpath, command)
-
     args = ["/usr/bin/getcert", "start-tracking",
             "-d", os.path.abspath(secdir),
             "-n", nickname,
             "-c", ca,
-            "-C", command,
            ]
 
+    if pre_command is not None:
+        if not os.path.isabs(pre_command):
+            if sys.maxsize > 2**32:
+                libpath = 'lib64'
+            else:
+                libpath = 'lib'
+            pre_command = '/usr/%s/ipa/certmonger/%s' % (libpath, pre_command)
+        args.append("-B")
+        args.append(pre_command)
+
+    if post_command is not None:
+        if not os.path.isabs(post_command):
+            if sys.maxsize > 2**32:
+                libpath = 'lib64'
+            else:
+                libpath = 'lib'
+            post_command = '/usr/%s/ipa/certmonger/%s' % (libpath, post_command)
+        args.append("-C")
+        args.append(post_command)
+
     if pinfile:
         args.append("-p")
         args.append(pinfile)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3d028a6ac..a5cfc6fb3 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -35,11 +35,13 @@ import urllib
 import xml.dom.minidom
 import stat
 import socket
+import syslog
 import ConfigParser
 from ipapython import dogtag
 from ipapython.certdb import get_ca_nickname
 from ipapython import certmonger
 from ipalib import pkcs10, x509
+from ipalib import errors
 from ipapython.dn import DN
 import subprocess
 import traceback
@@ -1048,7 +1050,11 @@ class CAInstance(service.Service):
 
         On upgrades this needs to be called from ipa-upgradeconfig.
         """
-        certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'restart_httpd')
+        try:
+            certmonger.dogtag_start_tracking('dogtag-ipa-retrieve-agent-submit', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', None, 'restart_httpd')
+        except (ipautil.CalledProcessError, RuntimeError), e:
+            root_logger.error(
+                "certmonger failed to start tracking certificate: %s" % str(e))
 
     def __configure_ra(self):
         # Create an RA user in the CA LDAP server and add that user to
@@ -1534,11 +1540,19 @@ class CAInstance(service.Service):
                 'Unable to determine PIN for CA instance: %s' % str(e))
 
     def track_servercert(self):
+        """
+        Specifically do not tell certmonger to restart the CA. This will be
+        done by the renewal script, renew_ca_cert once all the subsystem
+        certificates are renewed.
+        """
         pin = self.__get_ca_pin()
-        certmonger.dogtag_start_tracking(
-            'dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None,
-            self.dogtag_constants.ALIAS_DIR,
-            'restart_pkicad "Server-Cert cert-pki-ca"')
+        try:
+            certmonger.dogtag_start_tracking(
+                'dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None,
+                self.dogtag_constants.ALIAS_DIR, None, None)
+        except (ipautil.CalledProcessError, RuntimeError), e:
+            root_logger.error(
+                "certmonger failed to start tracking certificate: %s" % str(e))
 
     def configure_renewal(self):
         cmonger = ipaservices.knownservices.certmonger
@@ -1552,12 +1566,20 @@ class CAInstance(service.Service):
         for nickname in ['auditSigningCert cert-pki-ca',
                          'ocspSigningCert cert-pki-ca',
                          'subsystemCert cert-pki-ca']:
-            certmonger.dogtag_start_tracking(
-                'dogtag-ipa-renew-agent', nickname, pin, None,
-                self.dogtag_constants.ALIAS_DIR, 'renew_ca_cert "%s"' % nickname)
+            try:
+                certmonger.dogtag_start_tracking(
+                    'dogtag-ipa-renew-agent', nickname, pin, None,
+                    self.dogtag_constants.ALIAS_DIR, 'stop_pkicad', 'renew_ca_cert "%s"' % nickname)
+            except (ipautil.CalledProcessError, RuntimeError), e:
+                root_logger.error(
+                    "certmonger failed to start tracking certificate: %s" % str(e))
 
         # Set up the agent cert for renewal
-        certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', 'renew_ra_cert')
+        try:
+            certmonger.dogtag_start_tracking('dogtag-ipa-renew-agent', 'ipaCert', None, '/etc/httpd/alias/pwdfile.txt', '/etc/httpd/alias', None, 'renew_ra_cert')
+        except (ipautil.CalledProcessError, RuntimeError), e:
+                root_logger.error(
+                    "certmonger failed to start tracking certificate: %s" % str(e))
 
     def configure_certmonger_renewal(self):
         """
@@ -1595,10 +1617,14 @@ class CAInstance(service.Service):
         for nickname in ['auditSigningCert cert-pki-ca',
                          'ocspSigningCert cert-pki-ca',
                          'subsystemCert cert-pki-ca']:
-            certmonger.dogtag_start_tracking(
-                'dogtag-ipa-retrieve-agent-submit', nickname, pin, None,
-                self.dogtag_constants.ALIAS_DIR,
-                'restart_pkicad "%s"' % nickname)
+            try:
+                certmonger.dogtag_start_tracking(
+                    'dogtag-ipa-retrieve-agent-submit', nickname, pin, None,
+                    self.dogtag_constants.ALIAS_DIR, 'stop_pkicad',
+                    'restart_pkicad "%s"' % nickname)
+            except (ipautil.CalledProcessError, RuntimeError), e:
+                    root_logger.error(
+                        "certmonger failed to start tracking certificate: %s" % str(e))
 
         # The agent renewal is configured in import_ra_cert which is called
         # after the HTTP instance is created.
@@ -1861,6 +1887,67 @@ def update_cert_config(nickname, cert):
                                 base64.b64encode(cert),
                                 quotes=False, separator='=')
 
+def update_people_entry(uid, dercert):
+    """
+    Update the userCerticate for an entry in the dogtag ou=People. This
+    is needed when a certificate is renewed.
+
+    uid: uid of user to update
+    dercert: An X509.3 certificate in DER format
+
+    Logging is done via syslog
+
+    Returns True or False
+    """
+    dn = DN(('uid',uid),('ou','People'),('o','ipaca'))
+    serial_number = x509.get_serial_number(dercert, datatype=x509.DER)
+    subject = x509.get_subject(dercert, datatype=x509.DER)
+    issuer = x509.get_issuer(dercert, datatype=x509.DER)
+
+    attempts = 0
+    dogtag_uri='ldap://localhost:%d' % DEFAULT_DSPORT
+    updated = False
+
+    try:
+        dm_password = certmonger.get_pin('internaldb')
+    except IOError, e:
+        syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
+        return False
+
+    while attempts < 10:
+        conn = None
+        try:
+            conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
+            conn.connect(bind_dn=DN(('cn', 'directory manager')),
+                bind_pw=dm_password)
+            (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'],
+                normalize=False)
+            entry_attrs['usercertificate'].append(dercert)
+            entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer,
+                subject)
+            conn.update_entry(dn, entry_attrs, normalize=False)
+            updated = True
+            break
+        except errors.NetworkError:
+            syslog.syslog(syslog.LOG_ERR, 'Connection to %s failed, sleeping 30s' % dogtag_uri)
+            time.sleep(30)
+            attempts += 1
+        except errors.EmptyModlist:
+            updated = True
+            break
+        except Exception, e:
+            syslog.syslog(syslog.LOG_ERR, 'Updating %s entry failed: %s' % (str(dn), e))
+            break
+        finally:
+            if conn.isconnected():
+                conn.disconnect()
+
+    if not updated:
+        syslog.syslog(syslog.LOG_ERR, 'Update failed.')
+        return False
+
+    return True
+
 if __name__ == "__main__":
     standard_logging_setup("install.log")
     if not dogtag.install_constants.SHARED_DB: