[Freeipa-devel] [PATCH] 1079 address CA subsystem renewal issues

Rob Crittenden rcritten at redhat.com
Sun Jan 6 20:00:50 UTC 2013 

Each of the CA subsystem certificates would trigger a restart during 
renewal. This generally caused one or more of the renewals to fail due 
to the CA being down.

We also need to fix the trust on the audit cert post-installation. It 
was possible that both certmonger and certutil could have the NSS 
database open read/write which is almost guaranteed to result in corruption.

So intead I picked the audit cert as the "lead" cert. It will handle 
restarting the CA.

It will also wait until all the other CA subsystem certs are in a 
MONITORING state before trying to update the trust. This should prevent 
the multiple read/write problem.

The CA wasn't actually working post-renewal anyway because the user it 
uses to bind to DS wasn't being updated properly. certmap.conf is 
confiugred to compare the cert provided by the client with that stored 
in LDAP and since we weren't updating it, dogtag couldn't properly bind 
to its own DS instance.

We also update a ou=People entry for the RA agent cert so I pulled that 
updating code into cainstance.py for easier sharing.

Finally, the wrong service name was being used for tomcat to do the 
restart. This is fixed. I've tested this with 3.1/dogtag 10 but it 
should work with dogtag 9 as well (which uses a different service naming 
convention).

This is how I test:

- ipa-server-install ...
- getcert list | grep expires
- examine the first four certs, pick an expiration date ~28 days prior
- date MMDDhhmmCCYY
- getcert list|grep status

Wait until all but one is in MONITORING. That last one should be the 
audit cert.

I usually at this point switch to watching a tail of /var/log/messages 
until the CA restarts.

Confirm that things are working with:

- ipa cert-show 1

To really be sure, use the ipa cert-request command to issue a new cert.

Ideally you'll verify that things are working, then trigger another 
renewal event. Do the getcert list|grep expires to renew the HTTP/DS 
server certs, then do this again for the CA subsystem certs.

It should come up again.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1079-renewal.patch
Type: text/x-patch
Size: 13929 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130106/864fde5b/attachment.bin>

More information about the Freeipa-devel mailing list