[Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

Jan Cholasta jcholast at redhat.com
Mon Feb 22 15:04:40 UTC 2016 

On 22.2.2016 15:56, David Kupka wrote:
> On 22/02/16 07:28, Jan Cholasta wrote:
>> On 18.2.2016 10:10, David Kupka wrote:
>>> On 19/01/16 16:10, David Kupka wrote:
>>>> On 19/01/16 14:38, Jan Cholasta wrote:
>>>>> On 19.1.2016 14:26, Martin Kosek wrote:
>>>>>> On 01/19/2016 01:47 PM, David Kupka wrote:
>>>>>>> I've polished the patch attached to #5586 by Timo Aaltonen.
>>>>>>>
>>>>>>> Thanks for the patch. I've fixed the path in specfile and removed
>>>>>>> unused import
>>>>>>> but otherwise it works, ACK.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/5586
>>>>>>
>>>>>> Won't this break existing certmonger requests depending on the old
>>>>>> path?
>>>>>
>>>>> It will, I don't see any upgrade code.
>>>>>
>>>>>>
>>>>>> # getcert list | grep '/usr/lib64/ipa/certmonger'
>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>> "auditSigningCert
>>>>>> cert-pki-ca"
>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>> "ocspSigningCert
>>>>>> cert-pki-ca"
>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>> "subsystemCert
>>>>>> cert-pki-ca"
>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>> "caSigningCert
>>>>>> cert-pki-ca"
>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>>>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>>> "Server-Cert
>>>>>> cert-pki-ca"
>>>>>>     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>>>>> RHEL72
>>>>>>     post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>>>>
>>>>>
>>>>>
>>>>
>>>> You're right it will break the upgrade. I haven't noticed that
>>>> Server-Cert for DS and HTTPD are not handled by
>>>> certificate_renewal_update (ipaserver.install.server.upgrade) where all
>>>> the other trackings are stopped and then configured again with the
>>>> paths.CERTMONGER_COMMAND_TEMPLATE already updated.
>>>>
>>>> Thanks for the catch.
>>>>
>>>
>>> I've updated Timo's patch little more and added
>>> start_tracking_certificates() for dsinstance and httpinstance. Now the
>>> upgrade works as expected.
>>
>> The way the patches are split is kind of weird and apparently confusing
>> (see the other thread). IMO there should be 2 patches: the first should
>> add the ability to change DS and HTTP certmonger config during upgrade
>> (i.e. the start_tracking_certificates() methods and
>> certificate_renewal_update() changes), the second should move the
>> helpers (i.e. the actual move and certificate_renewal_update() version
>> bump).
>>
> Honza, do I understand it correctly that the code is OK but I did not
> split it to the patches correctly?

Yes.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list