Re: [Freeipa-devel] [PATCH] 1048 update certificate renewal scripts

2012-09-07 Thread Rob Crittenden 

Jan Cholasta wrote:

Dne 24.8.2012 23:52, Rob Crittenden napsal(a):

A couple of issues were found in the CA renewal scripts. The api wasn't
being initialized so restart_dirsrv() didn't have access to
api.env.startup_timeout()


I believe it was I who mislead you into removing it when I reviewed the
original CA renewal patch. Sorry :-)



A cert was missing from our list of certs to translate into CS.cfg
directives.

rob



ACK.

Honza



pushed to master and ipa-3-0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1048 update certificate renewal scripts

2012-09-07 Thread Jan Cholasta 

Dne 24.8.2012 23:52, Rob Crittenden napsal(a):

A couple of issues were found in the CA renewal scripts. The api wasn't
being initialized so restart_dirsrv() didn't have access to
api.env.startup_timeout()


I believe it was I who mislead you into removing it when I reviewed the 
original CA renewal patch. Sorry :-)




A cert was missing from our list of certs to translate into CS.cfg
directives.

rob



ACK.

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 1048 update certificate renewal scripts

2012-08-24 Thread Rob Crittenden 
A couple of issues were found in the CA renewal scripts. The api wasn't 
being initialized so restart_dirsrv() didn't have access to 
api.env.startup_timeout()


A cert was missing from our list of certs to translate into CS.cfg 
directives.


rob
>From 290cf06a41731eb5f64c7fc1faf4a804d4eba0d4 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Fri, 8 Aug 2014 16:09:42 -0400
Subject: [PATCH] Fix some restart script issues found with certificate
 renewal.

The restart_dirsrv script wasn't initializing the api so the
startup_timeout wasn't available.

The subsystemCert cert-pki-ca definition was missing so we didn't
know which certificate to update in CS.cfg.

Add some documentation and a pause between restarts for the
renew_ca_cert script so that when the CA subsystem certs are renewed
they don't all try to restart the CA at the same time.

https://fedorahosted.org/freeipa/ticket/3006
---
 install/restart_scripts/renew_ca_cert  | 16 +++-
 install/restart_scripts/restart_dirsrv |  4 
 ipaserver/install/cainstance.py|  1 +
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index e4374eca5abf9b4526d0641058a6c94cbda0cc28..6e4d2b789712ea72bedeebfba3acc5b6fec65933 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -25,6 +25,8 @@ import shutil
 import tempfile
 import krbV
 import syslog
+import random
+import time
 from ipalib import api
 from ipapython.dn import DN
 from ipalib import errors
@@ -34,6 +36,10 @@ from ipaserver.install import certs
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install.cainstance import update_cert_config
 
+# This script a post-cert-install command for certmonger. When certmonger
+# has renewed a CA subsystem certificate a copy is put into the replicated
+# tree so it can be shared with the other IPA servers.
+
 nickname = sys.argv[1]
 
 api.bootstrap(context='restart')
@@ -85,8 +91,16 @@ if nickname == 'auditSigningCert cert-pki-ca':
 
 update_cert_config(nickname, cert)
 
-syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca')
+syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca to renew %s' % nickname)
 
+# We monitor 3 certs that are all likely to be renewed by certmonger more or
+# less at the same time. Each cert renewal is going to need to restart
+# the CA. Add a bit of randomness in this so not all three try to start it
+# at the same time. A restart is needed for each because there is no guarantee
+# that they will all be renewed at the same time.
+pause = random.randint(10,360)
+syslog.syslog(syslog.LOG_NOTICE, 'Pausing %d seconds to restart pki-ca' % pause)
+time.sleep(pause)
 try:
 ipaservices.knownservices.pki_cad.restart('pki-ca')
 except Exception, e:
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
index d6c3f82d5c9e1cf757a461b7e4487e148881..a9bb897ba8b8e026da6f05ed32fa995c23948431 100644
--- a/install/restart_scripts/restart_dirsrv
+++ b/install/restart_scripts/restart_dirsrv
@@ -22,12 +22,16 @@
 import sys
 import syslog
 from ipapython import services as ipaservices
+from ipalib import api
 
 try:
 instance = sys.argv[1]
 except IndexError:
 instance = ""
 
+api.bootstrap(context='restart')
+api.finalize()
+
 syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
 
 try:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b00ceeaed3b396082bd500761339fed9efbda4c1..1d953757ca5aed85869fe0bb5df6728aaa17d575 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1320,6 +1320,7 @@ def update_cert_config(nickname, cert):
 directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
   'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
   'caSigningCert cert-pki-ca': 'ca.signing.cert',
+  'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
   'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
 
 installutils.set_directive('/var/lib/%s/conf/CS.cfg' % PKI_INSTANCE_NAME,
-- 
1.7.11.2

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel