PKI service restart after CA renewal failed

Fix both the service restart procedure and registration of old
pki-cad well known service name.

This patch was adapted from original patch of Jan Cholasta 178 to
fix ticket 4092.

https://fedorahosted.org/freeipa/ticket/4092

install/restart_scripts/renew_ca_cert

@@ -49,6 +49,7 @@ api.finalize()
 
 configured_constants = dogtag.configured_constants(api)
 alias_dir = configured_constants.ALIAS_DIR
+dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
 dogtag_instance = configured_constants.PKI_INSTANCE_NAME
 
 # Fetch the new certificate
@@ -106,12 +107,13 @@ if nickname == 'auditSigningCert cert-pki-ca':
 # off the servlet to verify that the CA is actually up and responding so
 # when this returns it should be good-to-go. The CA was stopped in the
 # pre-save state.
-syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance)
+syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
 try:
-    if configured_constants.DOGTAG_VERSION == 9:
+    dogtag_service.start(dogtag_instance)
-        ipaservices.knownservices.pki_cad.start(dogtag_instance)
-    else:
-        ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
+    syslog.syslog(
-                  (dogtag_instance, str(e)))
+        syslog.LOG_ERR,
+        "Cannot start %s: %s" % (dogtag_service.service_name, e))
+else:
+    syslog.syslog(
+        syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)

install/restart_scripts/restart_pkicad

@@ -33,18 +33,25 @@ api.finalize()
 
 configured_constants = dogtag.configured_constants(api)
 alias_dir = configured_constants.ALIAS_DIR
+dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
 dogtag_instance = configured_constants.PKI_INSTANCE_NAME
 
 # dogtag opens its NSS database in read/write mode so we need it
 # shut down so certmonger can open it read/write mode. This avoids
 # database corruption. It should already be stopped by the pre-command
 # but lets be sure.
-if ipaservices.knownservices.pki_cad.is_running(dogtag_instance):
+if dogtag_service.is_running(dogtag_instance):
+    syslog.syslog(
+        syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
     try:
-        ipaservices.knownservices.pki_cad.stop(dogtag_instance)
+        dogtag_service.stop(dogtag_instance)
     except Exception, e:
-        syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
+        syslog.syslog(
-                      (dogtag_instance, str(e)))
+            syslog.LOG_ERR,
+            "Cannot stop %s: %s" % (dogtag_service.service_name, e))
+    else:
+        syslog.syslog(
+            syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
 
 # Fix permissions on the audit cert if we're updating it
 if nickname == 'auditSigningCert cert-pki-ca':
@@ -55,14 +62,13 @@ if nickname == 'auditSigningCert cert-pki-ca':
            ]
     db.run_certutil(args)
 
+syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
 try:
-    if configured_constants.DOGTAG_VERSION == 9:
+    dogtag_service.start(dogtag_instance)
-        ipaservices.knownservices.pki_cad.start(dogtag_instance)
-    else:
-        ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
+    syslog.syslog(
-                  (dogtag_instance, str(e)))
+        syslog.LOG_ERR,
+        "Cannot start %s: %s" % (dogtag_service.service_name, e))
 else:
-    syslog.syslog(syslog.LOG_NOTICE, "certmonger started %sd, nickname '%s'" %
+    syslog.syslog(
-                  (dogtag_instance, nickname))
+        syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)

install/restart_scripts/stop_pkicad

@@ -29,15 +29,15 @@ api.bootstrap(context='restart')
 api.finalize()
 
 configured_constants = dogtag.configured_constants(api)
+dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
 dogtag_instance = configured_constants.PKI_INSTANCE_NAME
 
-syslog.syslog(syslog.LOG_NOTICE, "certmonger stopping %sd" % dogtag_instance)
+syslog.syslog(syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
-
 try:
-    if configured_constants.DOGTAG_VERSION == 9:
+    dogtag_service.stop(dogtag_instance)
-        ipaservices.knownservices.pki_cad.stop(dogtag_instance)
-    else:
-        ipaservices.knownservices.pki_tomcatd.stop(dogtag_instance)
 except Exception, e:
-    syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
+    syslog.syslog(
-                  (dogtag_instance, str(e)))
+        syslog.LOG_ERR, "Cannot stop %s: %s" % (dogtag_service.service_name, e))
+else:
+    syslog.syslog(
+        syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)

ipapython/dogtag.py

@@ -62,6 +62,8 @@ class Dogtag10Constants(object):
     SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
     ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
 
+    SERVICE_NAME = 'pki_tomcatd'
+
     RACERT_LINE_SEP = '\n'
 
     IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
@@ -92,6 +94,8 @@ class Dogtag9Constants(object):
     SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
     ALIAS_DIR = '%s/alias' % PKI_ROOT
 
+    SERVICE_NAME = 'pki-cad'
+
     RACERT_LINE_SEP = '\r\n'
 
     ADMIN_SECURE_PORT = 9445

ipapython/platform/base/__init__.py

@@ -27,7 +27,7 @@ import os
 wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
                      'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
                      'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
-                     'rpcidmapd', 'pki_tomcatd', 'pki-cad', 'chronyd']
+                     'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd']
 
 # System may support more time&date services. FreeIPA supports ntpd only, other
 # services will be disabled during IPA installation

ipaserver/install/cainstance.py

@@ -1283,7 +1283,7 @@ class CAInstance(service.Service):
         """
         caconfig = dogtag.install_constants.CS_CFG_PATH
 
-        with stopped_service('pki_tomcatd',
+        with stopped_service(self.dogtag_constants.SERVICE_NAME,
                         instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
 
             # Enable file publishing, disable LDAP
@@ -1723,7 +1723,7 @@ def update_cert_config(nickname, cert, dogtag_constants=None):
                   'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
                   'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
 
-    with stopped_service('pki_tomcatd',
+    with stopped_service(dogtag_constants.SERVICE_NAME,
                          instance_name=dogtag_constants.PKI_INSTANCE_NAME):
 
         installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,