mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-27 09:21:59 -06:00
045b6e6ed9
dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
44 lines
1.5 KiB
Python
44 lines
1.5 KiB
Python
#!/usr/bin/python -E
|
|
#
|
|
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2012 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import sys
|
|
import syslog
|
|
from ipapython import services as ipaservices
|
|
from ipapython import dogtag
|
|
from ipalib import api
|
|
|
|
api.bootstrap(context='restart')
|
|
api.finalize()
|
|
|
|
configured_constants = dogtag.configured_constants(api)
|
|
dogtag_instance = configured_constants.PKI_INSTANCE_NAME
|
|
|
|
syslog.syslog(syslog.LOG_NOTICE, "certmonger stopping %sd" % dogtag_instance)
|
|
|
|
try:
|
|
if configured_constants.DOGTAG_VERSION == 9:
|
|
ipaservices.knownservices.pki_cad.start(dogtag_instance)
|
|
else:
|
|
ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
|
|
except Exception, e:
|
|
syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
|
|
(dogtag_instance, str(e)))
|