Log unhandled exceptions in certificate renewal scripts.

https://fedorahosted.org/freeipa/ticket/4093

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

1 files changed, 56 insertions, 49 deletions

diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index cb3e3683b..0d731144b 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -24,6 +24,7 @@ import shutil
 import tempfile
 import syslog
 import time
+import traceback
 from ipapython import services as ipaservices
 from ipapython import ipautil
 from ipaserver.install import certs
@@ -33,60 +34,66 @@ from ipapython.dn import DN
 from ipalib import errors
 from ipaserver.plugins.ldap2 import ldap2
 
-api.bootstrap(context='restart')
-api.finalize()
+def main():
+    api.bootstrap(context='restart')
+    api.finalize()
 
-# Fetch the new certificate
-db = certs.CertDB(api.env.realm)
-dercert = db.get_cert_from_db('ipaCert', pem=False)
+    # Fetch the new certificate
+    db = certs.CertDB(api.env.realm)
+    dercert = db.get_cert_from_db('ipaCert', pem=False)
 
-# Load it into dogtag
-update_people_entry('ipara', dercert)
+    # Load it into dogtag
+    update_people_entry('ipara', dercert)
 
-attempts = 0
-updated = False
+    attempts = 0
+    updated = False
 
-# Store it in the IPA LDAP server
-while attempts < 10:
-    conn = None
-    tmpdir = None
-    try:
-        tmpdir = tempfile.mkdtemp(prefix="tmp-")
-        dn = DN(('cn','ipaCert'), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
-        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
-        ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
-        conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
-        conn.connect(ccache=ccache)
+    # Store it in the IPA LDAP server
+    while attempts < 10:
+        conn = None
+        tmpdir = None
         try:
-            entry_attrs = conn.get_entry(dn, ['usercertificate'])
-            entry_attrs['usercertificate'] = dercert
-            conn.update_entry(entry_attrs)
-        except errors.NotFound:
-            entry_attrs = conn.make_entry(
-                dn,
-                objectclass=['top', 'pkiuser', 'nscontainer'],
-                usercertificate=[dercert])
-            conn.add_entry(entry_attrs)
-        except errors.EmptyModlist:
-            pass
-        updated = True
-        break
-    except Exception, e:
-        syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s. Sleeping 30s' % e)
-        time.sleep(30)
-        attempts += 1
-    finally:
-        if conn is not None and conn.isconnected():
-            conn.disconnect()
-        if tmpdir is not None:
-            shutil.rmtree(tmpdir)
+            tmpdir = tempfile.mkdtemp(prefix="tmp-")
+            dn = DN(('cn','ipaCert'), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
+            principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+            ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+            conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+            conn.connect(ccache=ccache)
+            try:
+                entry_attrs = conn.get_entry(dn, ['usercertificate'])
+                entry_attrs['usercertificate'] = dercert
+                conn.update_entry(entry_attrs)
+            except errors.NotFound:
+                entry_attrs = conn.make_entry(
+                    dn,
+                    objectclass=['top', 'pkiuser', 'nscontainer'],
+                    usercertificate=[dercert])
+                conn.add_entry(entry_attrs)
+            except errors.EmptyModlist:
+                pass
+            updated = True
+            break
+        except Exception, e:
+            syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s. Sleeping 30s' % e)
+            time.sleep(30)
+            attempts += 1
+        finally:
+            if conn is not None and conn.isconnected():
+                conn.disconnect()
+            if tmpdir is not None:
+                shutil.rmtree(tmpdir)
+
+    if not updated:
+        syslog.syslog(syslog.LOG_ERR, '%s: Giving up. This script may be safely re-executed.' % sys.argv[0])
+        sys.exit(1)
 
-if not updated:
-    syslog.syslog(syslog.LOG_ERR, '%s: Giving up. This script may be safely re-executed.' % sys.argv[0])
-    sys.exit(1)
+    # Now restart Apache so the new certificate is available
+    try:
+        ipaservices.knownservices.httpd.restart()
+    except Exception, e:
+        syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
 
-# Now restart Apache so the new certificate is available
 try:
-    ipaservices.knownservices.httpd.restart()
-except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
+    main()
+except Exception:
+    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())