Hi, the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5436>.
Honza -- Jan Cholasta
From d3f532e6a21731216f6593fe368a114d4c60e411 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 9 Nov 2015 10:53:02 +0100 Subject: [PATCH] cert renewal: make renewal of ipaCert atomic This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 --- install/restart_scripts/Makefile.am | 1 + install/restart_scripts/renew_ra_cert | 4 +++- install/restart_scripts/renew_ra_cert_pre | 18 ++++++++++++++++++ ipaserver/install/cainstance.py | 2 +- ipaserver/install/server/upgrade.py | 4 ++-- 5 files changed, 25 insertions(+), 4 deletions(-) create mode 100755 install/restart_scripts/renew_ra_cert_pre diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am index 58057aa..c4bf819 100644 --- a/install/restart_scripts/Makefile.am +++ b/install/restart_scripts/Makefile.am @@ -7,6 +7,7 @@ app_DATA = \ renew_ca_cert \ renew_ra_cert \ stop_pkicad \ + renew_ra_cert_pre \ $(NULL) EXTRA_DIST = \ diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index cf770a9..102e8c6 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -77,8 +77,10 @@ def _main(): def main(): - with certs.renewal_lock: + try: _main() + finally: + certs.renewal_lock.release('renew_ra_cert') try: diff --git a/install/restart_scripts/renew_ra_cert_pre b/install/restart_scripts/renew_ra_cert_pre new file mode 100755 index 0000000..d0f743c --- /dev/null +++ b/install/restart_scripts/renew_ra_cert_pre @@ -0,0 +1,18 @@ +#!/usr/bin/python2 -E +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +import syslog +import traceback + +from ipaserver.install import certs + + +def main(): + certs.renewal_lock.acquire('renew_ra_cert') + +try: + main() +except Exception: + syslog.syslog(syslog.LOG_ERR, traceback.format_exc()) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 23fdf30..1cbc0d0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1339,7 +1339,7 @@ class CAInstance(DogtagInstance): pin=None, pinfile=paths.ALIAS_PWDFILE_TXT, secdir=paths.HTTPD_ALIAS_DIR, - pre_command=None, + pre_command='renew_ra_cert_pre', post_command='renew_ra_cert') except RuntimeError as e: self.log.error( diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 4337995..b9621a3 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -806,7 +806,7 @@ def certificate_renewal_update(ca): dogtag_constants = dogtag.configured_constants() # bump version when requests is changed - version = 3 + version = 4 requests = ( ( dogtag_constants.ALIAS_DIR, @@ -844,7 +844,7 @@ def certificate_renewal_update(ca): paths.HTTPD_ALIAS_DIR, 'ipaCert', 'dogtag-ipa-ca-renew-agent', - None, + 'renew_ra_cert_pre', 'renew_ra_cert', None, ), -- 2.4.3
From 09ab23ea3fce5d4f4534f5ade951b0cb35228323 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 9 Nov 2015 10:53:02 +0100 Subject: [PATCH] cert renewal: make renewal of ipaCert atomic This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 --- install/restart_scripts/Makefile.am | 1 + install/restart_scripts/renew_ra_cert | 4 +++- install/restart_scripts/renew_ra_cert_pre | 18 ++++++++++++++++++ ipaserver/install/cainstance.py | 2 +- ipaserver/install/server/upgrade.py | 4 ++-- 5 files changed, 25 insertions(+), 4 deletions(-) create mode 100755 install/restart_scripts/renew_ra_cert_pre diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am index 58057aa..c4bf819 100644 --- a/install/restart_scripts/Makefile.am +++ b/install/restart_scripts/Makefile.am @@ -7,6 +7,7 @@ app_DATA = \ renew_ca_cert \ renew_ra_cert \ stop_pkicad \ + renew_ra_cert_pre \ $(NULL) EXTRA_DIST = \ diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 3a36f73..f4b193f 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -77,8 +77,10 @@ def _main(): def main(): - with certs.renewal_lock: + try: _main() + finally: + certs.renewal_lock.release('renew_ra_cert') try: diff --git a/install/restart_scripts/renew_ra_cert_pre b/install/restart_scripts/renew_ra_cert_pre new file mode 100755 index 0000000..d0f743c --- /dev/null +++ b/install/restart_scripts/renew_ra_cert_pre @@ -0,0 +1,18 @@ +#!/usr/bin/python2 -E +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +import syslog +import traceback + +from ipaserver.install import certs + + +def main(): + certs.renewal_lock.acquire('renew_ra_cert') + +try: + main() +except Exception: + syslog.syslog(syslog.LOG_ERR, traceback.format_exc()) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index dfe023c..d230c9b 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1305,7 +1305,7 @@ class CAInstance(DogtagInstance): pin=None, pinfile=paths.ALIAS_PWDFILE_TXT, secdir=paths.HTTPD_ALIAS_DIR, - pre_command=None, + pre_command='renew_ra_cert_pre', post_command='renew_ra_cert') except RuntimeError, e: self.log.error( diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index e0a45a0..c8f744c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -799,7 +799,7 @@ def certificate_renewal_update(ca): dogtag_constants = dogtag.configured_constants() # bump version when requests is changed - version = 3 + version = 4 requests = ( ( dogtag_constants.ALIAS_DIR, @@ -837,7 +837,7 @@ def certificate_renewal_update(ca): paths.HTTPD_ALIAS_DIR, 'ipaCert', 'dogtag-ipa-ca-renew-agent', - None, + 'renew_ra_cert_pre', 'renew_ra_cert', None, ), -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code