On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote: > Certmonger will currently automatically renew server certificates but > doesn't restart the services so you can still end up with expired > certificates if you services never restart. > > This patch registers are restart command with certmonger so the IPA > services will automatically be restarted to get the updated cert. > > Easy to test. Install IPA then resubmit the current server certs and > watch the services restart: > > # ipa-getcert list > > Find the ID for either your dirsrv or httpd instance > > # ipa-getcert resubmit -i <ID> > > Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors > to see the service restart. > > rob
What about current instances - can we/do we want to update certmonger tracking so that their instances are restarted as well? Anyway, I found few issues SELinux issues with the patch: 1) # rpm -Uvh freeipa-* Preparing... ########################################### [100%] 1:freeipa-python ########################################### [ 20%] 2:freeipa-client ########################################### [ 40%] 3:freeipa-admintools ########################################### [ 60%] 4:freeipa-server ########################################### [ 80%] /usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger' to `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument /usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger/restart_dirsrv' to `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument /usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger/restart_httpd' to `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument warning: %post(freeipa-server-2.1.90GIT5b895af-0.fc16.x86_64) scriptlet failed, exit status 1 5:freeipa-server-selinux ########################################### [100%] certmonger_unconfined_exec_t type was unknown with my selinux policy: selinux-policy-3.10.0-80.fc16.noarch selinux-policy-targeted-3.10.0-80.fc16.noarch If we need a higher SELinux version, we should bump the required package version spec file. 2) Change of SELinux context with /usr/bin/chcon is temporary until restorecon or system relabel occurs. I think we should make it persistent and enforce this type in our SELinux policy and rather call restorecon instead of chcon Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel