URL: https://github.com/freeipa/freeipa/pull/229 Author: flo-renaud Title: #229: Remove the renewal lock file upon uninstall Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/229/head:pr229 git checkout pr229
From 88d1855844cf54763bcc9b5528f6f3ed12b8fcce Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 10 Nov 2016 13:14:34 +0100 Subject: [PATCH] Fix renewal lock issues on installation - Make sure that the file /var/run/ipa/renewal.lock is deleted upon uninstallation, in order to avoid subsequent installation issues. - Increase the timeout when waiting for certmonger to issue certs - Configure certmonger presave and postsave commands after obtaining the certificates (otherwise certmonger may call for instance restart_httpd while httpd configuration is not complete). Part of the refactoring effort, certificates sub-effort. https://fedorahosted.org/freeipa/ticket/6433 --- ipapython/certmonger.py | 31 +++++++++++++++++-------------- ipaserver/install/server/install.py | 6 ++++++ 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 6f0948a..f644d95 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -307,17 +307,30 @@ def request_and_wait_for_cert( The method also waits for the certificate to be available. """ reqId = request_cert(nssdb, nickname, subject, principal, - passwd_fname, dns, ca, profile, - pre_command, post_command) - state = wait_for_request(reqId, timeout=60) + passwd_fname, dns, ca, profile) + state = wait_for_request(reqId, timeout=180) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: raise RuntimeError("Certificate issuance failed") + + # Add presave and postsave commands + # This is not done earlier to avoid running the cmds + # during the initial request + certmonger_cmd_template = paths.CERTMONGER_COMMAND_TEMPLATE + if pre_command: + if not os.path.isabs(pre_command): + pre_command = certmonger_cmd_template % (pre_command) + add_request_value(reqId, 'cert-presave-command', pre_command) + if post_command: + if not os.path.isabs(post_command): + post_command = certmonger_cmd_template % (post_command) + add_request_value(reqId, 'cert-postsave-command', post_command) + return reqId def request_cert( nssdb, nickname, subject, principal, passwd_fname=None, - dns=None, ca='IPA', profile=None, pre_command=None, post_command=None): + dns=None, ca='IPA', profile=None): """ Execute certmonger to request a server certificate. @@ -342,16 +355,6 @@ def request_cert( if profile: request_parameters['ca-profile'] = profile - certmonger_cmd_template = paths.CERTMONGER_COMMAND_TEMPLATE - if pre_command: - if not os.path.isabs(pre_command): - pre_command = certmonger_cmd_template % (pre_command) - request_parameters['cert-presave-command'] = pre_command - if post_command: - if not os.path.isabs(post_command): - post_command = certmonger_cmd_template % (post_command) - request_parameters['cert-postsave-command'] = post_command - result = cm.obj_if.add_request(request_parameters) try: if result[0]: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index ff99e78..acdd72b 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -1130,6 +1130,12 @@ def uninstall(installer): ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s' % ', '.join(ids)) + # Remove the cert renewal lock file + try: + os.remove(paths.IPA_RENEWAL_LOCK) + except Exception: + pass + print("Removing IPA client configuration") try: result = run([paths.IPA_CLIENT_INSTALL, "--on-master",
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code