[Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

Jan Cholasta jcholast at redhat.com
Mon Feb 22 06:28:54 UTC 2016 

On 18.2.2016 10:10, David Kupka wrote:
> On 19/01/16 16:10, David Kupka wrote:
>> On 19/01/16 14:38, Jan Cholasta wrote:
>>> On 19.1.2016 14:26, Martin Kosek wrote:
>>>> On 01/19/2016 01:47 PM, David Kupka wrote:
>>>>> I've polished the patch attached to #5586 by Timo Aaltonen.
>>>>>
>>>>> Thanks for the patch. I've fixed the path in specfile and removed
>>>>> unused import
>>>>> but otherwise it works, ACK.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5586
>>>>
>>>> Won't this break existing certmonger requests depending on the old
>>>> path?
>>>
>>> It will, I don't see any upgrade code.
>>>
>>>>
>>>> # getcert list | grep '/usr/lib64/ipa/certmonger'
>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "auditSigningCert
>>>> cert-pki-ca"
>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "ocspSigningCert
>>>> cert-pki-ca"
>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "subsystemCert
>>>> cert-pki-ca"
>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "caSigningCert
>>>> cert-pki-ca"
>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "Server-Cert
>>>> cert-pki-ca"
>>>>     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
>>>>     post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>>
>>>
>>>
>>
>> You're right it will break the upgrade. I haven't noticed that
>> Server-Cert for DS and HTTPD are not handled by
>> certificate_renewal_update (ipaserver.install.server.upgrade) where all
>> the other trackings are stopped and then configured again with the
>> paths.CERTMONGER_COMMAND_TEMPLATE already updated.
>>
>> Thanks for the catch.
>>
>
> I've updated Timo's patch little more and added
> start_tracking_certificates() for dsinstance and httpinstance. Now the
> upgrade works as expected.

The way the patches are split is kind of weird and apparently confusing 
(see the other thread). IMO there should be 2 patches: the first should 
add the ability to change DS and HTTP certmonger config during upgrade 
(i.e. the start_tracking_certificates() methods and 
certificate_renewal_update() changes), the second should move the 
helpers (i.e. the actual move and certificate_renewal_update() version 
bump).

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list