Restart scripts tried to call knownservices.pki_cad which did not exist, the script failed and PKI services was not started. Fix both the service restart procedure and registration of old pki-cad well known service name.
https://fedorahosted.org/freeipa/ticket/4092 ---- Reproduction instructions are in the ticket. Martin
From 366b1cb4734e4400de9d166a5825869605589ef1 Mon Sep 17 00:00:00 2001 From: Martin Kosek <[email protected]> Date: Tue, 7 Jan 2014 13:00:14 +0100 Subject: [PATCH] PKI service restart after CA renewal failed Restart scripts tried to call knownservices.pki_cad which did not exist, the script failed and PKI services was not started. Fix both the service restart procedure and registration of old pki-cad well known service name. https://fedorahosted.org/freeipa/ticket/4092 --- install/restart_scripts/renew_ca_cert | 10 ++++++---- install/restart_scripts/restart_pkicad | 13 +++++++++---- install/restart_scripts/stop_pkicad | 10 ++++++---- ipapython/platform/base/__init__.py | 2 +- 4 files changed, 22 insertions(+), 13 deletions(-) mode change 100644 => 100755 install/restart_scripts/restart_pkicad mode change 100644 => 100755 install/restart_scripts/stop_pkicad diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index ab394b970eaee28bc386d4d1ba737643414e2680..ed7f267818dc3adcc79a588a921e42d21e57fdf9 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -51,6 +51,11 @@ configured_constants = dogtag.configured_constants(api) alias_dir = configured_constants.ALIAS_DIR dogtag_instance = configured_constants.PKI_INSTANCE_NAME +if configured_constants.DOGTAG_VERSION == 9: + pki = ipaservices.knownservices.pki_cad +else: + pki = ipaservices.knownservices.pki_tomcatd + # Fetch the new certificate db = certs.CertDB(api.env.realm, nssdir=alias_dir) cert = db.get_cert_from_db(nickname, pem=False) @@ -108,10 +113,7 @@ if nickname == 'auditSigningCert cert-pki-ca': # pre-save state. syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance) try: - if configured_constants.DOGTAG_VERSION == 9: - ipaservices.knownservices.pki_cad.start(dogtag_instance) - else: - ipaservices.knownservices.pki_tomcatd.start(dogtag_instance) + pki.start(dogtag_instance) except Exception, e: syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" % (dogtag_instance, str(e))) diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad old mode 100644 new mode 100755 index a58c3f31e1bd288587842ba5fc4335c967b9405e..f228d0081b135c825f814dfd149231cacd3f8e8b --- a/install/restart_scripts/restart_pkicad +++ b/install/restart_scripts/restart_pkicad @@ -39,9 +39,14 @@ dogtag_instance = configured_constants.PKI_INSTANCE_NAME # shut down so certmonger can open it read/write mode. This avoids # database corruption. It should already be stopped by the pre-command # but lets be sure. -if ipaservices.knownservices.pki_cad.is_running(dogtag_instance): +if configured_constants.DOGTAG_VERSION == 9: + pki = ipaservices.knownservices.pki_cad +else: + pki = ipaservices.knownservices.pki_tomcatd + +if pki.is_running(dogtag_instance): try: - ipaservices.knownservices.pki_cad.stop(dogtag_instance) + pki.stop(dogtag_instance) except Exception, e: syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" % (dogtag_instance, str(e))) @@ -57,9 +62,9 @@ if nickname == 'auditSigningCert cert-pki-ca': try: if configured_constants.DOGTAG_VERSION == 9: - ipaservices.knownservices.pki_cad.start(dogtag_instance) + pki.start(dogtag_instance) else: - ipaservices.knownservices.pki_tomcatd.start(dogtag_instance) + pki.start(dogtag_instance) except Exception, e: syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" % (dogtag_instance, str(e))) diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad old mode 100644 new mode 100755 index c8589b286eefbe1c3d79e2a6dab7adfd3ff56b2a..d4cba1005beb52bc004a0295994a8559123a531a --- a/install/restart_scripts/stop_pkicad +++ b/install/restart_scripts/stop_pkicad @@ -31,13 +31,15 @@ api.finalize() configured_constants = dogtag.configured_constants(api) dogtag_instance = configured_constants.PKI_INSTANCE_NAME +if configured_constants.DOGTAG_VERSION == 9: + pki = ipaservices.knownservices.pki_cad +else: + pki = ipaservices.knownservices.pki_tomcatd + syslog.syslog(syslog.LOG_NOTICE, "certmonger stopping %sd" % dogtag_instance) try: - if configured_constants.DOGTAG_VERSION == 9: - ipaservices.knownservices.pki_cad.stop(dogtag_instance) - else: - ipaservices.knownservices.pki_tomcatd.stop(dogtag_instance) + pki.stop(dogtag_instance) except Exception, e: syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" % (dogtag_instance, str(e))) diff --git a/ipapython/platform/base/__init__.py b/ipapython/platform/base/__init__.py index e2aa33faf9ccf182c778dfdbd8fd68d3686deae0..d76bc73a7d159c2dd43e281fa9916f245d88aaf3 100644 --- a/ipapython/platform/base/__init__.py +++ b/ipapython/platform/base/__init__.py @@ -27,7 +27,7 @@ wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', 'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd', - 'rpcidmapd', 'pki_tomcatd', 'pki-cad', 'chronyd'] + 'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd'] # System may support more time&date services. FreeIPA supports ntpd only, other # services will be disabled during IPA installation -- 1.8.4.2
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
