[Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

[David Kupka]

On 19/01/16 14:38, Jan Cholasta wrote:
> On 19.1.2016 14:26, Martin Kosek wrote:
>> On 01/19/2016 01:47 PM, David Kupka wrote:
>>> I've polished the patch attached to #5586 by Timo Aaltonen.
>>>
>>> Thanks for the patch. I've fixed the path in specfile and removed
>>> unused import
>>> but otherwise it works, ACK.
>>>
>>> https://fedorahosted.org/freeipa/ticket/5586
>>
>> Won't this break existing certmonger requests depending on the old path?
>
> It will, I don't see any upgrade code.
>
>>
>> # getcert list | grep '/usr/lib64/ipa/certmonger'
>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert
>> cert-pki-ca"
>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert
>> cert-pki-ca"
>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "subsystemCert
>> cert-pki-ca"
>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "caSigningCert
>> cert-pki-ca"
>>     post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "Server-Cert
>> cert-pki-ca"
>>     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
>>     post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>
>
>

You're right it will break the upgrade. I haven't noticed that 
Server-Cert for DS and HTTPD are not handled by 
certificate_renewal_update (ipaserver.install.server.upgrade) where all 
the other trackings are stopped and then configured again with the 
paths.CERTMONGER_COMMAND_TEMPLATE already updated.

Thanks for the catch.

-- 
David Kupka