As mentioned before, squashing was not appropriate, here an interdiff which
covers the relevant part of patch 29:
diff --git a/lib/client/gnt_cluster.py b/lib/client/gnt_cluster.py
index db5cabe..c6eda73 100644
--- a/lib/client/gnt_cluster.py
+++ b/lib/client/gnt_cluster.py
@@ -1121,7 +1121,7 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, #
pylint: disable=R0911
# If the cluster certificate are renewed, the client certificates need
# to be renewed too.
if new_cluster_cert:
- RunWhileDaemonsStopped(ToStdout, [constants.WCONFD],
+ RunWhileDaemonsStopped(ToStdout, [constants.NODED, constants.WCONFD],
_RenewServerAndClientCerts)
ToStdout("All requested certificates and keys have been replaced."
On Tue, 30 Jun 2015 at 13:55 Klaus Aehlig <[email protected]> wrote:
> On Thu, Jun 25, 2015 at 05:31:58PM +0200, 'Helga Velroyen' via
> ganeti-devel wrote:
> > So far, the cluster certificate and the individual node
> > certificate could be renewed independent of each other.
> > This is no longer possible, because when renewing the
> > server certificate, all node certificates need to be
> > renewed as well, because they are signed by the server
> > certificate. This patch couples the two operations
> > together.
> >
> > Signed-off-by: Helga Velroyen <[email protected]>
> > ---
> > lib/client/gnt_cluster.py | 40 ++++++++++++++++++++++++++++++++++------
> > 1 file changed, 34 insertions(+), 6 deletions(-)
>
> > + # If the cluster certificate are renewed, the client certificates need
> > + # to be renewed too.
> > + if new_cluster_cert:
> > + RunWhileDaemonsStopped(ToStdout, [constants.WCONFD],
> > + _RenewServerAndClientCerts)
>
> Here again, just starting WConfD on its own won't work.
>
> --
> Klaus Aehlig
> Google Germany GmbH, Dienerstr. 12, 80331 Muenchen
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschaeftsfuehrer: Graham Law, Christine Elizabeth Flores
>
