Conditionally restart certmonger after client installation

If certmonger is running prior to client installation then its IPA CA configuration will be incomplete and missing the CA chain. If a certificate is subsequently requested with -F to store the CA chain in a file or NSS db it may not be available yet. A conditional restart of certmonger will pick up the new IPA configuration and complete the IPA CA configuration in certmonger. A pure restart and service activation is not done since certmonger is not required unless --request-cert was passed ipa-client-install. https://pagure.io/freeipa/issue/8105 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Ade Lee <alee@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-10-25 10:20:35 -04:00 · 2019-10-25 10:20:35 -04:00 · 3593e53622
commit 3593e53622
parent 1e3de17269
1 changed files with 9 additions and 1 deletions
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@ -779,7 +779,16 @@ def configure_krb5_conf(
 def configure_certmonger(
        fstore, subject_base, cli_realm, hostname, options, ca_enabled):

+    cmonger = services.knownservices.certmonger
    if not options.request_cert:
+        # Conditionally restart certmonger to pick up the new IPA
+        # configuration.
+        try:
+            cmonger.try_restart()
+        except Exception as e:
+            logger.error(
+                "Failed to conditionally restart the %s daemon: %s",
+                cmonger.service_name, str(e))
        return

    if not ca_enabled:
@ -794,7 +803,6 @@ def configure_certmonger(
        # which principal name to use when requesting certs.
        certmonger.add_principal_to_cas(principal)

-    cmonger = services.knownservices.certmonger
    try:
        cmonger.enable()
        cmonger.start()