[Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

David Kupka dkupka at redhat.com
Thu Feb 18 09:10:36 UTC 2016 

On 19/01/16 16:10, David Kupka wrote:
> On 19/01/16 14:38, Jan Cholasta wrote:
>> On 19.1.2016 14:26, Martin Kosek wrote:
>>> On 01/19/2016 01:47 PM, David Kupka wrote:
>>>> I've polished the patch attached to #5586 by Timo Aaltonen.
>>>>
>>>> Thanks for the patch. I've fixed the path in specfile and removed
>>>> unused import
>>>> but otherwise it works, ACK.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/5586
>>>
>>> Won't this break existing certmonger requests depending on the old path?
>>
>> It will, I don't see any upgrade code.
>>
>>>
>>> # getcert list | grep '/usr/lib64/ipa/certmonger'
>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert
>>> cert-pki-ca"
>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert
>>> cert-pki-ca"
>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "subsystemCert
>>> cert-pki-ca"
>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "caSigningCert
>>> cert-pki-ca"
>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "Server-Cert
>>> cert-pki-ca"
>>>     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
>>>     post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>
>>
>>
>
> You're right it will break the upgrade. I haven't noticed that
> Server-Cert for DS and HTTPD are not handled by
> certificate_renewal_update (ipaserver.install.server.upgrade) where all
> the other trackings are stopped and then configured again with the
> paths.CERTMONGER_COMMAND_TEMPLATE already updated.
>
> Thanks for the catch.
>

I've updated Timo's patch little more and added 
start_tracking_certificates() for dsinstance and httpinstance. Now the 
upgrade works as expected.

-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-dkupka-0087.0-dsinstance-add-start_tracking_certificates-method.patch
Type: text/x-patch
Size: 1501 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160218/bef76bb2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-dkupka-0088.0-httpinstance-add-start_tracking_certificates-method.patch
Type: text/x-patch
Size: 1092 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160218/bef76bb2/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tjaalton-0011.1-Move-freeipa-certmonger-helpers-to-libexecdir.patch
Type: text/x-patch
Size: 8353 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160218/bef76bb2/attachment-0002.bin>

More information about the Freeipa-devel mailing list