On 24/02/16 15:07, Rob Crittenden wrote:
David Kupka wrote:
On 23/02/16 16:41, Rob Crittenden wrote:
David Kupka wrote:
On 23/02/16 10:14, Martin Kosek wrote:
On 02/23/2016 09:47 AM, David Kupka wrote:
On 22/02/16 16:15, Martin Kosek wrote:
On 02/22/2016 04:04 PM, Jan Cholasta wrote:
On 22.2.2016 15:56, David Kupka wrote:
On 22/02/16 07:28, Jan Cholasta wrote:
On 18.2.2016 10:10, David Kupka wrote:
On 19/01/16 16:10, David Kupka wrote:
On 19/01/16 14:38, Jan Cholasta wrote:
On 19.1.2016 14:26, Martin Kosek wrote:
On 01/19/2016 01:47 PM, David Kupka wrote:
I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and
removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586

Won't this break existing certmonger requests depending on
the old
path?

It will, I don't see any upgrade code.


# getcert list | grep '/usr/lib64/ipa/certmonger'
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
        post-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
        post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv
RHEL72
        post-save command:
/usr/lib64/ipa/certmonger/restart_httpd




You're right it will break the upgrade. I haven't noticed that
Server-Cert for DS and HTTPD are not handled by
certificate_renewal_update (ipaserver.install.server.upgrade)
where all
the other trackings are stopped and then configured again
with the
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.


I've updated Timo's patch little more and added
start_tracking_certificates() for dsinstance and httpinstance.
Now the
upgrade works as expected.

The way the patches are split is kind of weird and apparently
confusing
(see the other thread). IMO there should be 2 patches: the first
should
add the ability to change DS and HTTP certmonger config during
upgrade
(i.e. the start_tracking_certificates() methods and
certificate_renewal_update() changes), the second should move the
helpers (i.e. the actual move and certificate_renewal_update()
version
bump).

Honza, do I understand it correctly that the code is OK but I
did not
split it to the patches correctly?

Yes.

Before acking or pushing, can you please explain for me how the
upgrade of
certmonger tracking requests work? I want to make sure this is
right, so please
bear with me:

1) How does it edit existing tracking requests with the new helper
paths?

2) Does it go and try to edit the requests on every upgrade? Or is
there some
check that requests were updated?

Thanks,
Martin


Whole upgrade of renewal requests is done in
ipaserver/install/server/upgrade.py in certificate_renewal_upgrade().

First there is version of requests and if it's the same as in state
file
upgrade is skipped.
Then every request is searched over certmonger's DBus interface and
if at least
one is not found it means that there was change in request
configuration. All
tracking requests are then stopped and started again with new
configuration.

So to answer you questions:
1) By stopping the old request with the old parameters (including
path) and
starting new with new parameters.

2) Only if version was bumped which happens only if some of the
requests changes.

Ah, so IIUC, if you bump the version, requests should be properly
updated. The
change looks fine then.


After discussion with Honza, we decided to drop the part comparing only
base names of pre- and post-save commands and use it as whole. I've also
split the patches so it's obvious what is going on.

Patches should be applied in this order:

freeipa-dkupka-0091.0

A cert could silently fail to be tracked in
start_tracking_certificates() if no serverid can be found.

In that case it also wouldn't be stopped. The behavior is the same as in
existing stop_tracking_certificates(). Should we rather raise and stop
the upgrade? I guess not but warning would be probably useful. What
solution would you prefer, Rob?

I don't know all the callers of this. It may be perfectly safe to assume
that a serverid is always there, but the implication if it isn't is that
some tracking cert won't be updated properly right? That potentially
could mean no renewal.

So the consequences could be severe, I just don't know the likelihood.

In other words, a comment (# can never get here) might be perfectly
adequate.

rob



freeipa-dkupka-0087.1
freeipa-dkupka-0088.1
freeipa-tjaalton-0011.2
freeipa-dkupka-0092.0








Currently the function is called only from one place (also added in this patch) but to avoid problems in the future I made the serverid parameter mandatory.
Also I squashed the version bump into Timo's patch.

Updated patches attached. Apply in this order:

freeipa-dkupka-0091.1
freeipa-dkupka-0087.2
freeipa-dkupka-0088.2
freeipa-tjaalton-0011.3

--
David Kupka
From 51615042748a2e2b90aed797da9b4c6075664ed3 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 17 Feb 2016 15:18:04 +0100
Subject: [PATCH 2/4] dsinstance: add start_tracking_certificates method

Configure certmonger to start tracing certificate for DS.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/dsinstance.py     |  7 +++++++
 ipaserver/install/server/upgrade.py | 19 +++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3d5734efe7ad0ed2ccf03120b8461db9f99aa318..5b49733dfe1f158c3db38e0f227526d2c913c519 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -968,6 +968,13 @@ class DsInstance(service.Service):
             dsdb = certs.CertDB(self.realm, nssdir=dirname)
             dsdb.untrack_server_cert(self.nickname)
 
+    def start_tracking_certificates(self, serverid):
+        dirname = config_dirname(serverid)[:-1]
+        dsdb = certs.CertDB(self.realm, nssdir=dirname)
+        dsdb.track_server_cert(self.nickname, self.principal,
+                               dsdb.passwd_fname,
+                               'restart_dirsrv %s' % serverid)
+
     # we could probably move this function into the service.Service
     # class - it's very generic - all we need is a way to get an
     # instance of a particular Service
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index d154d9dcb4b15bcdf6694066bc53b2026fd9c334..7de07ea7eff08e9b1451f8a1c83e9a4eec7c3b8d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -807,7 +807,8 @@ def named_root_key_include():
     sysupgrade.set_upgrade_state('named.conf', 'root_key_updated', True)
     return True
 
-def certificate_renewal_update(ca):
+
+def certificate_renewal_update(ca, ds):
     """
     Update certmonger certificate renewal configuration.
     """
@@ -817,6 +818,8 @@ def certificate_renewal_update(ca):
     else:
         libpath = 'lib'
     template = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, '%s')
+    serverid = installutils.realm_to_serverid(api.env.realm)
+    dirsrv_dir = dsinstance.config_dirname(serverid)
 
     # bump version when requests is changed
     version = 4
@@ -869,6 +872,15 @@ def certificate_renewal_update(ca):
             '%s "Server-Cert cert-pki-ca"' % (template % 'renew_ca_cert'),
             None,
         ),
+        (
+            dirsrv_dir,
+            'Server-Cert',
+            'IPA',
+            None,
+            '%s %s' % (template % 'restart_dirsrv', serverid),
+            None,
+        ),
+
     )
 
     root_logger.info("[Update certmonger certificate renewal configuration to "
@@ -904,6 +916,7 @@ def certificate_renewal_update(ca):
     # Ok, now we need to stop tracking, then we can start tracking them
     # again with new configuration:
     ca.stop_tracking_certificates()
+    ds.stop_tracking_certificates(serverid)
 
     if not sysupgrade.get_upgrade_state('dogtag',
                                         'certificate_renewal_update_1'):
@@ -917,6 +930,7 @@ def certificate_renewal_update(ca):
     ca.configure_renewal()
     ca.configure_agent_renewal()
     ca.track_servercert()
+    ds.start_tracking_certificates(serverid)
 
     sysupgrade.set_upgrade_state('dogtag', state, True)
     root_logger.info("Certmonger certificate renewal configuration updated to "
@@ -1513,6 +1527,7 @@ def upgrade_configuration():
     ds.fqdn = fqdn
     ds.realm = api.env.realm
     ds.suffix = ipautil.realm_to_suffix(api.env.realm)
+    ds.principal = "ldap/%s@%s" % (ds.fqdn, ds.realm)
 
     ds.ldap_connect()
     ds_enable_sidgen_extdom_plugins(ds)
@@ -1607,7 +1622,7 @@ def upgrade_configuration():
         ca_restart,
         ca_upgrade_schema(ca),
         upgrade_ca_audit_cert_validity(ca),
-        certificate_renewal_update(ca),
+        certificate_renewal_update(ca, ds),
         ca_enable_pkix(ca),
         ca_configure_profiles_acl(ca),
     ])
-- 
2.5.0

From 8b18d3336ffb9b8021ebc7550120c8aea22a7efa Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 17 Feb 2016 15:18:17 +0100
Subject: [PATCH 3/4] httpinstance: add start_tracking_certificates method

Configure certmonger to start tracking certificate for httpd.

https://fedorahosted.org/freeipa/ticket/5586
---
 ipaserver/install/httpinstance.py   |  5 +++++
 ipaserver/install/server/upgrade.py | 19 +++++++++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3b46dce82cae017328c9555c543e78b64e642c89..437016b88a7f813744d29fa37f257a744c590fd8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -533,3 +533,8 @@ class HTTPInstance(service.Service):
     def stop_tracking_certificates(self):
         db = certs.CertDB(api.env.realm)
         db.untrack_server_cert(self.cert_nickname)
+
+    def start_tracking_certificates(self):
+        db = certs.CertDB(self.realm)
+        db.track_server_cert(self.cert_nickname, self.principal,
+                             db.passwd_fname, 'restart_httpd')
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 7de07ea7eff08e9b1451f8a1c83e9a4eec7c3b8d..bb61aa434fb7a26f21902a04ab53f58cde1b523b 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -808,7 +808,7 @@ def named_root_key_include():
     return True
 
 
-def certificate_renewal_update(ca, ds):
+def certificate_renewal_update(ca, ds, http):
     """
     Update certmonger certificate renewal configuration.
     """
@@ -873,6 +873,14 @@ def certificate_renewal_update(ca, ds):
             None,
         ),
         (
+            paths.HTTPD_ALIAS_DIR,
+            'Server-Cert',
+            'IPA',
+            None,
+            template % 'restart_httpd',
+            None,
+        ),
+        (
             dirsrv_dir,
             'Server-Cert',
             'IPA',
@@ -917,6 +925,7 @@ def certificate_renewal_update(ca, ds):
     # again with new configuration:
     ca.stop_tracking_certificates()
     ds.stop_tracking_certificates(serverid)
+    http.stop_tracking_certificates()
 
     if not sysupgrade.get_upgrade_state('dogtag',
                                         'certificate_renewal_update_1'):
@@ -931,6 +940,7 @@ def certificate_renewal_update(ca, ds):
     ca.configure_agent_renewal()
     ca.track_servercert()
     ds.start_tracking_certificates(serverid)
+    http.start_tracking_certificates()
 
     sysupgrade.set_upgrade_state('dogtag', state, True)
     root_logger.info("Certmonger certificate renewal configuration updated to "
@@ -1501,6 +1511,9 @@ def upgrade_configuration():
         fstore.restore_file(removed_sysconfig_file)
 
     http = httpinstance.HTTPInstance(fstore)
+    http.fqdn = fqdn
+    http.realm = api.env.realm
+    http.principal = "HTTP/%s@%s" % (http.fqdn, http.realm)
     http.configure_selinux_for_httpd()
     http.change_mod_nss_port_from_http()
 
@@ -1540,8 +1553,6 @@ def upgrade_configuration():
              # 389-ds needs to be running
             ds.start()
             http.ldapi = True
-            http.fqdn = fqdn
-            http.realm = api.env.realm
             http.suffix = ipautil.realm_to_suffix(api.env.realm)
             http.ldap_connect()
         httpinstance.create_kdcproxy_user()
@@ -1622,7 +1633,7 @@ def upgrade_configuration():
         ca_restart,
         ca_upgrade_schema(ca),
         upgrade_ca_audit_cert_validity(ca),
-        certificate_renewal_update(ca, ds),
+        certificate_renewal_update(ca, ds, http),
         ca_enable_pkix(ca),
         ca_configure_profiles_acl(ca),
     ])
-- 
2.5.0

From 930258ce27e2ec67fa883b9df4d70659dcee8621 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Tue, 23 Feb 2016 12:06:51 +0100
Subject: [PATCH 1/4] upgrade: Match whole pre/post command not just basename.

---
 ipaserver/install/server/upgrade.py | 46 ++++++++++++++++---------------------
 1 file changed, 20 insertions(+), 26 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 20379f19c652cb0b5911a4c2f1c67eae7f763379..d154d9dcb4b15bcdf6694066bc53b2026fd9c334 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -812,6 +812,12 @@ def certificate_renewal_update(ca):
     Update certmonger certificate renewal configuration.
     """
 
+    if sys.maxsize > 2**32:
+        libpath = 'lib64'
+    else:
+        libpath = 'lib'
+    template = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, '%s')
+
     # bump version when requests is changed
     version = 4
     requests = (
@@ -819,48 +825,48 @@ def certificate_renewal_update(ca):
             paths.PKI_TOMCAT_ALIAS_DIR,
             'auditSigningCert cert-pki-ca',
             'dogtag-ipa-ca-renew-agent',
-            'stop_pkicad',
-            'renew_ca_cert',
+            template % 'stop_pkicad',
+            '%s "auditSigningCert cert-pki-ca"' % (template % 'renew_ca_cert'),
             None,
         ),
         (
             paths.PKI_TOMCAT_ALIAS_DIR,
             'ocspSigningCert cert-pki-ca',
             'dogtag-ipa-ca-renew-agent',
-            'stop_pkicad',
-            'renew_ca_cert',
+            template % 'stop_pkicad',
+            '%s "ocspSigningCert cert-pki-ca"' % (template % 'renew_ca_cert'),
             None,
         ),
         (
             paths.PKI_TOMCAT_ALIAS_DIR,
             'subsystemCert cert-pki-ca',
             'dogtag-ipa-ca-renew-agent',
-            'stop_pkicad',
-            'renew_ca_cert',
+            template % 'stop_pkicad',
+            '%s "subsystemCert cert-pki-ca"' % (template % 'renew_ca_cert'),
             None,
         ),
         (
             paths.PKI_TOMCAT_ALIAS_DIR,
             'caSigningCert cert-pki-ca',
             'dogtag-ipa-ca-renew-agent',
-            'stop_pkicad',
-            'renew_ca_cert',
+            template % 'stop_pkicad',
+            '%s "caSigningCert cert-pki-ca"' % (template % 'renew_ca_cert'),
             'ipaCACertRenewal',
         ),
         (
             paths.HTTPD_ALIAS_DIR,
             'ipaCert',
             'dogtag-ipa-ca-renew-agent',
-            'renew_ra_cert_pre',
-            'renew_ra_cert',
+            template % 'renew_ra_cert_pre',
+            template % 'renew_ra_cert',
             None,
         ),
         (
             paths.PKI_TOMCAT_ALIAS_DIR,
             'Server-Cert cert-pki-ca',
             'dogtag-ipa-renew-agent',
-            'stop_pkicad',
-            'renew_ca_cert',
+            template % 'stop_pkicad',
+            '%s "Server-Cert cert-pki-ca"' % (template % 'renew_ca_cert'),
             None,
         ),
     )
@@ -883,24 +889,12 @@ def certificate_renewal_update(ca):
             'cert-nickname': nickname,
             'ca-name': ca_name,
             'template-profile': profile,
+            'cert-presave-command': pre_command,
+            'cert-postsave-command': post_command,
         }
         request_id = certmonger.get_request_id(criteria)
         if request_id is None:
             break
-
-        val = certmonger.get_request_value(request_id, 'cert-presave-command')
-        if val is not None:
-            val = val.split(' ', 1)[0]
-            val = os.path.basename(val)
-        if pre_command != val:
-            break
-
-        val = certmonger.get_request_value(request_id, 'cert-postsave-command')
-        if val is not None:
-            val = val.split(' ', 1)[0]
-            val = os.path.basename(val)
-        if post_command != val:
-            break
     else:
         sysupgrade.set_upgrade_state('dogtag', state, True)
         root_logger.info("Certmonger certificate renewal configuration is "
-- 
2.5.0

From 646ff4c671d86baa5aa2d8bce4a2113ed3f7abe2 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaal...@ubuntu.com>
Date: Tue, 23 Feb 2016 12:10:34 +0100
Subject: [PATCH 4/4] Move freeipa certmonger helpers to libexecdir.

The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry about lib vs lib64 (which also cause trouble
on Debian).

https://fedorahosted.org/freeipa/ticket/5586
---
 freeipa.spec.in                     |  4 ++--
 install/restart_scripts/Makefile.am |  2 +-
 ipaplatform/base/paths.py           |  2 +-
 ipapython/certmonger.py             | 13 ++-----------
 ipaserver/install/certs.py          |  6 +-----
 ipaserver/install/server/upgrade.py |  8 ++------
 6 files changed, 9 insertions(+), 26 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 961d8c38e0dd5f954bfca47e8209a5655eaacc86..c30a9fd0c4189c5b57bc4b7eaa29da99cb96a976 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1035,8 +1035,8 @@ fi
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
 %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
-%dir %{_libdir}/ipa/certmonger
-%attr(755,root,root) %{_libdir}/ipa/certmonger/*
+%dir %{_libexecdir}/ipa/certmonger
+%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
 # NOTE: systemd specific section
 %attr(644,root,root) %{_unitdir}/ipa.service
 %attr(644,root,root) %{_unitdir}/ipa-otpd.socket
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
index c4bf8195ea85ee0a9dba53fc2581e90c18a9127d..dd949a940218641f99b4ec29e5cd3abdaad0e75a 100644
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -1,6 +1,6 @@
 NULL =
 
-appdir = $(libdir)/ipa/certmonger
+appdir = $(libexecdir)/ipa/certmonger
 app_DATA =                              \
 	restart_dirsrv			\
 	restart_httpd			\
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index ee383711a711e7467d7b09dae4278d9dc1c41f63..bdff4f3934f3250bdfef3f913631b98d55d759b6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -149,7 +149,7 @@ class BasePathNamespace(object):
     TMP_CA_P12 = "/tmp/ca.p12"
     TMP_KRB5CC = "/tmp/krb5cc_%d"
     USR_DIR = "/usr"
-    CERTMONGER_COMMAND_TEMPLATE = "/usr/%s/ipa/certmonger/%s"
+    CERTMONGER_COMMAND_TEMPLATE = "/usr/libexec/ipa/certmonger/%s"
     PKCS12EXPORT = "/usr/bin/PKCS12Export"
     CERTUTIL = "/usr/bin/certutil"
     CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index f89ca0b7a1cbb9d34b0c044e30e213e7aa1c74fd..d62bdc320323608adfe0075f53484650d5595e94 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -25,7 +25,6 @@
 from __future__ import print_function
 
 import os
-import sys
 import time
 import dbus
 import shlex
@@ -491,19 +490,11 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
         params['KEY_PIN_FILE'] = os.path.abspath(pinfile)
     if pre_command:
         if not os.path.isabs(pre_command):
-            if sys.maxsize > 2**32:
-                libpath = 'lib64'
-            else:
-                libpath = 'lib'
-            pre_command = certmonger_cmd_template % (libpath, pre_command)
+            pre_command = certmonger_cmd_template % (pre_command)
         params['cert-presave-command'] = pre_command
     if post_command:
         if not os.path.isabs(post_command):
-            if sys.maxsize > 2**32:
-                libpath = 'lib64'
-            else:
-                libpath = 'lib'
-            post_command = certmonger_cmd_template % (libpath, post_command)
+            post_command = certmonger_cmd_template % (post_command)
         params['cert-postsave-command'] = post_command
     if profile:
         params['ca-profile'] = profile
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index f74b76090bfe2670a998373e3c7cdc3c5727c465..c220ffdb3fea957bafc8d180da9c8c73d0cc2813 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -296,11 +296,7 @@ class CertDB(object):
         /usr/lib[64]/ipa/certmonger.
         """
         if command is not None and not os.path.isabs(command):
-            if sys.maxsize > 2**32:
-                libpath = 'lib64'
-            else:
-                libpath = 'lib'
-            command = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, command)
+            command = paths.CERTMONGER_COMMAND_TEMPLATE % (command)
         try:
             request_id = certmonger.start_tracking(nickname, self.secdir, password_file, command)
         except RuntimeError as e:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index bb61aa434fb7a26f21902a04ab53f58cde1b523b..2e4893b4318e0ac0563a7b904fd0a505335636f3 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -813,16 +813,12 @@ def certificate_renewal_update(ca, ds, http):
     Update certmonger certificate renewal configuration.
     """
 
-    if sys.maxsize > 2**32:
-        libpath = 'lib64'
-    else:
-        libpath = 'lib'
-    template = paths.CERTMONGER_COMMAND_TEMPLATE % (libpath, '%s')
+    template = paths.CERTMONGER_COMMAND_TEMPLATE
     serverid = installutils.realm_to_serverid(api.env.realm)
     dirsrv_dir = dsinstance.config_dirname(serverid)
 
     # bump version when requests is changed
-    version = 4
+    version = 5
     requests = (
         (
             paths.PKI_TOMCAT_ALIAS_DIR,
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to