On Mon, Apr 02, 2012 at 03:47:20PM +0200, Martin Kosek wrote:
> On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote:
> > Certmonger will currently automatically renew server certificates but
> > doesn't restart the services so you can still end up with expired
> > certificates if you services never restart.
> > This patch registers are restart command with certmonger so the IPA
> > services will automatically be restarted to get the updated cert.
> > Easy to test. Install IPA then resubmit the current server certs and
> > watch the services restart:
> > # ipa-getcert list
> > Find the ID for either your dirsrv or httpd instance
> > # ipa-getcert resubmit -i <ID>
> > Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors
> > to see the service restart.
> What about current instances - can we/do we want to update certmonger
> tracking so that their instances are restarted as well?
You can use the not-exactly-well-named start-tracking command to add a
ipa-getcert start-tracking \
-d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert \
-C "/usr/bin/logger BeenThereDoneThat"
Or use the ID, as Rob did above.
Freeipa-devel mailing list