Hi,
the attached patches fix https://fedorahosted.org/freeipa/ticket/4803.
Note that if you want to test upgrades on CA-less, you need to apply my
patch 390 as well:
https://www.redhat.com/archives/freeipa-devel/2015-January/msg00103.html.
Honza
--
Jan Cholasta
From 9b6f5f227996fd4b5fbc714c44a766311294a06a Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 6 Jan 2015 13:08:54 +
Subject: [PATCH 1/2] Restart dogtag when its server certificate is renewed
https://fedorahosted.org/freeipa/ticket/4803
---
install/tools/ipa-upgradeconfig | 6 +++---
ipaserver/install/cainstance.py | 7 ---
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index c155e95..f4a6e0d 100755
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -779,7 +779,7 @@ def certificate_renewal_update(ca):
dogtag_constants = dogtag.configured_constants()
# bump version when requests is changed
-version = 2
+version = 3
requests = (
(
dogtag_constants.ALIAS_DIR,
@@ -825,8 +825,8 @@ def certificate_renewal_update(ca):
dogtag_constants.ALIAS_DIR,
'Server-Cert cert-pki-ca',
'dogtag-ipa-renew-agent',
-None,
-None,
+'stop_pkicad',
+'renew_ca_cert',
None,
),
)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6b4317f..951a384 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1534,16 +1534,17 @@ class CAInstance(service.Service):
done by the renewal script, renew_ca_cert once all the subsystem
certificates are renewed.
+nickname = 'Server-Cert cert-pki-ca'
pin = self.__get_ca_pin()
try:
certmonger.dogtag_start_tracking(
ca='dogtag-ipa-renew-agent',
-nickname='Server-Cert cert-pki-ca',
+nickname=nickname,
pin=pin,
pinfile=None,
secdir=self.dogtag_constants.ALIAS_DIR,
-pre_command=None,
-post_command=None)
+pre_command='stop_pkicad',
+post_command='renew_ca_cert %s' % nickname)
except RuntimeError, e:
root_logger.error(
certmonger failed to start tracking certificate: %s % e)
--
2.1.0
From 2423f45bacf43c789f6eb3f392b15fbd1d5dd2c9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Thu, 8 Jan 2015 09:06:46 +
Subject: [PATCH 2/2] Make certificate renewal process synchronized
Synchronization is achieved using a global renewal lock.
https://fedorahosted.org/freeipa/ticket/4803
---
freeipa.spec.in| 1 +
install/certmonger/Makefile.am | 1 +
.../certmonger/dogtag-ipa-ca-renew-agent-submit| 4 +-
install/certmonger/ipa-server-guard| 55 +++
install/restart_scripts/renew_ca_cert | 11 ++-
install/restart_scripts/renew_ra_cert | 11 ++-
install/restart_scripts/restart_dirsrv | 10 +-
install/restart_scripts/restart_httpd | 10 +-
install/restart_scripts/stop_pkicad| 4 +
install/tools/ipa-upgradeconfig| 3 +
ipaplatform/base/paths.py | 2 +
ipaserver/install/cainstance.py| 38
ipaserver/install/certs.py | 104 +
ipaserver/install/httpinstance.py | 42 +
14 files changed, 290 insertions(+), 6 deletions(-)
create mode 100755 install/certmonger/ipa-server-guard
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 40bad04..3175512 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -660,6 +660,7 @@ fi
%{_sbindir}/ipa-advise
%{_sbindir}/ipa-cacert-manage
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
+%{_libexecdir}/certmonger/ipa-server-guard
%{_libexecdir}/ipa-otpd
%dir %{_libexecdir}/ipa
%{_libexecdir}/ipa/ipa-dnskeysyncd
diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am
index ef6a0a6..2dc476f 100644
--- a/install/certmonger/Makefile.am
+++ b/install/certmonger/Makefile.am
@@ -3,6 +3,7 @@ NULL =
appdir = $(libexecdir)/certmonger/
app_SCRIPTS = \
dogtag-ipa-ca-renew-agent-submit \
+ ipa-server-guard \
$(NULL)
EXTRA_DIST =\
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index c63c0c2..0bebb49 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -38,7 +38,7 @@ from ipapython.dn import DN
from ipalib import api, errors, pkcs10, x509
from ipaplatform.paths import paths
from