On 01/15/2014 11:20 AM, Alexander Bokovoy wrote:
> On Wed, 15 Jan 2014, Jan Cholasta wrote:
>> Hi,
>>
>> the attached patch should fix <https://fedorahosted.org/freeipa/ticket/4078>.
>>
>> I have also attached patch 179, which fixes a related bug in certificate
>> renewal.
> 
> NACK for this part:
>> This fixes a possible NSS database corruption in renew_ca_cert.
>> ---
>> ipaserver/install/installutils.py | 3 ---
>> 1 file changed, 3 deletions(-)
>>
>> diff --git a/ipaserver/install/installutils.py
>> b/ipaserver/install/installutils.py
>> index 67eabc2..0ba9c2e 100644
>> --- a/ipaserver/install/installutils.py
>> +++ b/ipaserver/install/installutils.py
>> @@ -820,9 +820,6 @@ def stopped_service(service, instance_name=""):
>>         root_logger.debug('Service %s%s is not running, continue.', service,
>>                           log_instance_name)
>>         yield
>> -        root_logger.debug('Starting %s%s.', service, log_instance_name)
>> -        ipaservices.knownservices[service].start(instance_name)
>> -        return
>>     else:
>>         # Stop the service, do the required stuff and start it again
>>         root_logger.debug('Stopping %s%s.', service, log_instance_name)
> You need to wrap yield into try: finally: block. I have a patch for
> similar case in private_cache() few lines above this code.
> 
>>
>> diff --git a/ipalib/constants.py b/ipalib/constants.py
>> index d3e61ca..ae08277 100644
>> --- a/ipalib/constants.py
>> +++ b/ipalib/constants.py
>> @@ -119,7 +119,7 @@ DEFAULT_CONFIG = (
>>     ('rpc_protocol', 'jsonrpc'),
>>
>>     # Time to wait for a service to start, in seconds
>> -    ('startup_timeout', 120),
>> +    ('startup_timeout', 300),
>>
>>     # Web Application mount points
>>     ('mount_ipa', '/ipa/'),
> ACK for this one.
> 


Additionally, shouldn't we make the renew_ca_cert script more robust and do the
changes in LDAP datababase or certDB even if CA does not start and timeouts?
(as indicated in #4078)

IMO it is much easier for administrator to just start a CA manually, but with
correct cert renewed, than figure out which part of renew procedure was not
completed.

I mean this part:

# Done withing stopped_service context, CA restarted here
update_cert_config(nickname, cert) <<< should not fail there if CA did not
start, just report error and continue vvvvv

if nickname == 'subsystemCert cert-pki-ca':
    update_people_entry('pkidbuser', cert)

if nickname == 'auditSigningCert cert-pki-ca':
    # Fix trust on the audit cert

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to