From 4bec0f10265252eee133ee3bcfc5ee2ca6196c65 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: May 25 2016 15:19:56 +0000 Subject: Upgrade: always start CA Some CA upgrade steps in upgrader requires running CA. We have to always start CA and wait for running status using http, because systemd may return false positive result that CA is running even if CA is just starting and unable to serve. https://fedorahosted.org/freeipa/ticket/5868 Reviewed-By: Stanislav Laznicka --- diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 045a4f6..4aa5cbf 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1464,6 +1464,7 @@ def upgrade_configuration(): sub_dict['SUBJECT_BASE'] = subject_base ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca_running = ca.is_running() with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): # Dogtag must be stopped to be able to backup CS.cfg config @@ -1497,6 +1498,11 @@ def upgrade_configuration(): ) upgrade_pki(ca, fstore) + # several upgrade steps require running CA + # always run ca.start() because we need to wait until CA is really ready + # by checking status using http + ca.start('pki-tomcat') + certmonger_service = services.knownservices.certmonger if ca.is_configured() and not certmonger_service.is_running(): certmonger_service.start() @@ -1668,6 +1674,11 @@ def upgrade_configuration(): elif not ds_running and ds.is_running(): ds.stop(ds_serverid) + if ca_running and not ca.is_running(): + ca.start('pki-tomcat') + elif not ca_running and ca.is_running(): + ca.stop('pki-tomcat') + def upgrade_check(options): try: