cert renewal: make renewal of ipaCert atomic

This prevents errors when renewing other certificates during the renewal of ipaCert. https://fedorahosted.org/freeipa/ticket/5436 Reviewed-By: David Kupka <dkupka@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-11-09 10:53:02 +01:00
parent 164fb7b1d1
commit f3076c6ab3
5 changed files with 26 additions and 4 deletions
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -7,6 +7,7 @@ app_DATA =                              \
 	renew_ca_cert			\
 	renew_ra_cert			\
 	stop_pkicad			\
+	renew_ra_cert_pre		\
 	$(NULL)

 EXTRA_DIST =                            \
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -77,8 +77,11 @@ def _main():


 def main():
-    with certs.renewal_lock:
+    try:
        _main()
+    finally:
+        # lock acquired in renew_ra_cert_pre
+        certs.renewal_lock.release('renew_ra_cert')


 try:
--- a/install/restart_scripts/renew_ra_cert_pre
+++ b/install/restart_scripts/renew_ra_cert_pre
@@ -0,0 +1,18 @@
+#!/usr/bin/python2 -E
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+import syslog
+import traceback
+
+from ipaserver.install import certs
+
+
+def main():
+    certs.renewal_lock.acquire('renew_ra_cert')
+
+try:
+    main()
+except Exception:
+    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1339,7 +1339,7 @@ class CAInstance(DogtagInstance):
                pin=None,
                pinfile=paths.ALIAS_PWDFILE_TXT,
                secdir=paths.HTTPD_ALIAS_DIR,
-                pre_command=None,
+                pre_command='renew_ra_cert_pre',
                post_command='renew_ra_cert')
        except RuntimeError as e:
            self.log.error(
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -806,7 +806,7 @@ def certificate_renewal_update(ca):
    dogtag_constants = dogtag.configured_constants()

    # bump version when requests is changed
-    version = 3
+    version = 4
    requests = (
        (
            dogtag_constants.ALIAS_DIR,
@@ -844,7 +844,7 @@ def certificate_renewal_update(ca):
            paths.HTTPD_ALIAS_DIR,
            'ipaCert',
            'dogtag-ipa-ca-renew-agent',
-            None,
+            'renew_ra_cert_pre',
            'renew_ra_cert',
            None,
        ),