httpinstance: add start_tracking_certificates method

Configure certmonger to start tracking certificate for httpd. https://fedorahosted.org/freeipa/ticket/5586 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-02-17 15:18:17 +01:00 · 2016-02-17 15:18:17 +01:00 · 4337c4f9c4
commit 4337c4f9c4
parent 431a1a0383
2 changed files with 20 additions and 4 deletions
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -552,3 +552,8 @@ class HTTPInstance(service.Service):
    def stop_tracking_certificates(self):
        db = certs.CertDB(api.env.realm)
        db.untrack_server_cert(self.cert_nickname)
+
+    def start_tracking_certificates(self):
+        db = certs.CertDB(self.realm)
+        db.track_server_cert(self.cert_nickname, self.principal,
+                             db.passwd_fname, 'restart_httpd')
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -792,7 +792,7 @@ def named_root_key_include():
    return True


-def certificate_renewal_update(ca, ds):
+def certificate_renewal_update(ca, ds, http):
    """
    Update certmonger certificate renewal configuration.
    """
@ -856,6 +856,14 @@ def certificate_renewal_update(ca, ds):
            '%s "Server-Cert cert-pki-ca"' % (template % 'renew_ca_cert'),
            None,
        ),
+        (
+            paths.HTTPD_ALIAS_DIR,
+            'Server-Cert',
+            'IPA',
+            None,
+            template % 'restart_httpd',
+            None,
+        ),
        (
            dirsrv_dir,
            'Server-Cert',
@ -901,6 +909,7 @@ def certificate_renewal_update(ca, ds):
    # again with new configuration:
    ca.stop_tracking_certificates()
    ds.stop_tracking_certificates(serverid)
+    http.stop_tracking_certificates()

    if not sysupgrade.get_upgrade_state('dogtag',
                                        'certificate_renewal_update_1'):
@ -915,6 +924,7 @@ def certificate_renewal_update(ca, ds):
    ca.configure_agent_renewal()
    ca.track_servercert()
    ds.start_tracking_certificates(serverid)
+    http.start_tracking_certificates()

    sysupgrade.set_upgrade_state('dogtag', state, True)
    root_logger.info("Certmonger certificate renewal configuration updated to "
@ -1506,6 +1516,9 @@ def upgrade_configuration():
        fstore.restore_file(removed_sysconfig_file)

    http = httpinstance.HTTPInstance(fstore)
+    http.fqdn = fqdn
+    http.realm = api.env.realm
+    http.principal = "HTTP/%s@%s" % (http.fqdn, http.realm)
    http.configure_selinux_for_httpd()
    http.change_mod_nss_port_from_http()

@ -1544,8 +1557,6 @@ def upgrade_configuration():
             # 389-ds needs to be running
            ds.start()
            http.ldapi = True
-            http.fqdn = fqdn
-            http.realm = api.env.realm
            http.suffix = ipautil.realm_to_suffix(api.env.realm)
            http.ldap_connect()
        httpinstance.create_kdcproxy_user()
@ -1627,7 +1638,7 @@ def upgrade_configuration():
        ca_restart,
        ca_upgrade_schema(ca),
        upgrade_ca_audit_cert_validity(ca),
-        certificate_renewal_update(ca, ds),
+        certificate_renewal_update(ca, ds, http),
        ca_enable_pkix(ca),
        ca_configure_profiles_acl(ca),
    ])