diff options
author | Rob Crittenden <rcritten@redhat.com> | 2014-12-02 13:18:36 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-29 11:16:38 -0500 |
commit | 045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19 (patch) | |
tree | ba63a832f67c4c9a8ceee62669b52dd37a853680 /install/restart_scripts/restart_pkicad | |
parent | b382a77fc393a078ebbba8000284dd9abe75a3d5 (diff) | |
download | freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.gz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.tar.xz freeipa-045b6e6ed995b4c1e5dab8dbcdf1af4896b52d19.zip |
Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
Diffstat (limited to 'install/restart_scripts/restart_pkicad')
-rw-r--r-- | install/restart_scripts/restart_pkicad | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad index 0b6040a9d..a58c3f31e 100644 --- a/install/restart_scripts/restart_pkicad +++ b/install/restart_scripts/restart_pkicad @@ -35,8 +35,16 @@ configured_constants = dogtag.configured_constants(api) alias_dir = configured_constants.ALIAS_DIR dogtag_instance = configured_constants.PKI_INSTANCE_NAME -syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted %sd, nickname '%s'" % - (dogtag_instance, nickname)) +# dogtag opens its NSS database in read/write mode so we need it +# shut down so certmonger can open it read/write mode. This avoids +# database corruption. It should already be stopped by the pre-command +# but lets be sure. +if ipaservices.knownservices.pki_cad.is_running(dogtag_instance): + try: + ipaservices.knownservices.pki_cad.stop(dogtag_instance) + except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" % + (dogtag_instance, str(e))) # Fix permissions on the audit cert if we're updating it if nickname == 'auditSigningCert cert-pki-ca': @@ -48,10 +56,13 @@ if nickname == 'auditSigningCert cert-pki-ca': db.run_certutil(args) try: - # I've seen times where systemd restart does not actually restart - # the process. A full stop/start is required. This works around that - ipaservices.knownservices.pki_cad.stop(dogtag_instance) - ipaservices.knownservices.pki_cad.start(dogtag_instance) + if configured_constants.DOGTAG_VERSION == 9: + ipaservices.knownservices.pki_cad.start(dogtag_instance) + else: + ipaservices.knownservices.pki_tomcatd.start(dogtag_instance) except Exception, e: - syslog.syslog(syslog.LOG_ERR, "Cannot restart %sd: %s" % + syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" % (dogtag_instance, str(e))) +else: + syslog.syslog(syslog.LOG_NOTICE, "certmonger started %sd, nickname '%s'" % + (dogtag_instance, nickname)) |