On Mon, Apr 02, 2012 at 03:47:20PM +0200, Martin Kosek wrote: > On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote: > > Certmonger will currently automatically renew server certificates but > > doesn't restart the services so you can still end up with expired > > certificates if you services never restart. > > > > This patch registers are restart command with certmonger so the IPA > > services will automatically be restarted to get the updated cert. > > > > Easy to test. Install IPA then resubmit the current server certs and > > watch the services restart: > > > > # ipa-getcert list > > > > Find the ID for either your dirsrv or httpd instance > > > > # ipa-getcert resubmit -i <ID> > > > > Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors > > to see the service restart. > > What about current instances - can we/do we want to update certmonger > tracking so that their instances are restarted as well?
You can use the not-exactly-well-named start-tracking command to add a post-save command: ipa-getcert start-tracking \ -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert \ -C "/usr/bin/logger BeenThereDoneThat" Or use the ID, as Rob did above. HTH, Nalin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel