Log unhandled exceptions in certificate renewal scripts.

https://fedorahosted.org/freeipa/ticket/4093 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-01-23 15:33:26 +01:00
parent d727599aa8
commit 8e98690409
7 changed files with 268 additions and 217 deletions
--- a/install/restart_scripts/restart_pkicad
+++ b/install/restart_scripts/restart_pkicad
@@ -21,54 +21,61 @@

 import sys
 import syslog
+import traceback
 from ipapython import services as ipaservices
 from ipapython import dogtag
 from ipaserver.install import certs
 from ipalib import api

-nickname = sys.argv[1]
+def main():
+    nickname = sys.argv[1]

-api.bootstrap(context='restart')
-api.finalize()
+    api.bootstrap(context='restart')
+    api.finalize()

-configured_constants = dogtag.configured_constants(api)
-alias_dir = configured_constants.ALIAS_DIR
-dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
-dogtag_instance = configured_constants.PKI_INSTANCE_NAME
+    configured_constants = dogtag.configured_constants(api)
+    alias_dir = configured_constants.ALIAS_DIR
+    dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
+    dogtag_instance = configured_constants.PKI_INSTANCE_NAME

-# dogtag opens its NSS database in read/write mode so we need it
-# shut down so certmonger can open it read/write mode. This avoids
-# database corruption. It should already be stopped by the pre-command
-# but lets be sure.
-if dogtag_service.is_running(dogtag_instance):
-    syslog.syslog(
-        syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
+    # dogtag opens its NSS database in read/write mode so we need it
+    # shut down so certmonger can open it read/write mode. This avoids
+    # database corruption. It should already be stopped by the pre-command
+    # but lets be sure.
+    if dogtag_service.is_running(dogtag_instance):
+        syslog.syslog(
+            syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
+        try:
+            dogtag_service.stop(dogtag_instance)
+        except Exception, e:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Cannot stop %s: %s" % (dogtag_service.service_name, e))
+        else:
+            syslog.syslog(
+                syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
+
+    # Fix permissions on the audit cert if we're updating it
+    if nickname == 'auditSigningCert cert-pki-ca':
+        db = certs.CertDB(api.env.realm, nssdir=alias_dir)
+        args = ['-M',
+                '-n', nickname,
+                '-t', 'u,u,Pu',
+               ]
+        db.run_certutil(args)
+
+    syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
    try:
-        dogtag_service.stop(dogtag_instance)
+        dogtag_service.start(dogtag_instance)
    except Exception, e:
        syslog.syslog(
            syslog.LOG_ERR,
-            "Cannot stop %s: %s" % (dogtag_service.service_name, e))
+            "Cannot start %s: %s" % (dogtag_service.service_name, e))
    else:
        syslog.syslog(
-            syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
+            syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)

-# Fix permissions on the audit cert if we're updating it
-if nickname == 'auditSigningCert cert-pki-ca':
-    db = certs.CertDB(api.env.realm, nssdir=alias_dir)
-    args = ['-M',
-            '-n', nickname,
-            '-t', 'u,u,Pu',
-           ]
-    db.run_certutil(args)
-
-syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
 try:
-    dogtag_service.start(dogtag_instance)
-except Exception, e:
-    syslog.syslog(
-        syslog.LOG_ERR,
-        "Cannot start %s: %s" % (dogtag_service.service_name, e))
-else:
-    syslog.syslog(
-        syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
+    main()
+except Exception:
+    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())