[Freeipa-devel] [PATCH] 998 certmonger restarts services on renewal
Nalin Dahyabhai
nalin at redhat.com
Mon Apr 2 14:18:29 UTC 2012
On Mon, Apr 02, 2012 at 03:47:20PM +0200, Martin Kosek wrote:
> On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote:
> > Certmonger will currently automatically renew server certificates but
> > doesn't restart the services so you can still end up with expired
> > certificates if you services never restart.
> >
> > This patch registers are restart command with certmonger so the IPA
> > services will automatically be restarted to get the updated cert.
> >
> > Easy to test. Install IPA then resubmit the current server certs and
> > watch the services restart:
> >
> > # ipa-getcert list
> >
> > Find the ID for either your dirsrv or httpd instance
> >
> > # ipa-getcert resubmit -i <ID>
> >
> > Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors
> > to see the service restart.
>
> What about current instances - can we/do we want to update certmonger
> tracking so that their instances are restarted as well?
You can use the not-exactly-well-named start-tracking command to add a
post-save command:
ipa-getcert start-tracking \
-d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert \
-C "/usr/bin/logger BeenThereDoneThat"
Or use the ID, as Rob did above.
HTH,
Nalin
More information about the Freeipa-devel
mailing list