From 198cd5fab3937fd8948bea4b4949e30db4e490a4 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Nov 16 2016 08:10:01 +0000
Subject: Fix renewal lock issues on installation


- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.

- Modify certmonger renewal script: restart the http/dirsrv services
only if they were already running

- Cleanup certmonger ra renewal script: no need to restart httpd

- Reorder during http install: request the SSL cert before adding
ipa-service-guard
Rationale: when a CA helper is modified, certmonger launches the helper
with various operations (FETCH_ROOTS, ...) If the CA helper is once again
modified, the on-going helper is killed. This can lead to
ipa-service-guard being killed and not releasing the renew lock.

If the SSL cert is requested with IPA helper before ipa-service-guard is added,
we avoid this locking issue.

Part of the refactoring effort, certificates sub-effort.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

---

diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index d71d6e2..40ef728 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -30,7 +30,6 @@ import traceback
 from ipapython import ipautil
 from ipalib import api
 from ipaserver.install import certs, cainstance, krainstance
-from ipaplatform import services
 from ipaplatform.paths import paths
 
 
@@ -68,15 +67,6 @@ def _main():
         shutil.rmtree(tmpdir)
         api.Backend.ldap2.disconnect()
 
-    # Now restart Apache so the new certificate is available
-    syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd")
-    try:
-        services.knownservices.httpd.restart()
-    except Exception as e:
-        syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % e)
-    else:
-        syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd")
-
 
 def main():
     try:
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
index a8e7818..72d3c54 100644
--- a/install/restart_scripts/restart_dirsrv
+++ b/install/restart_scripts/restart_dirsrv
@@ -39,7 +39,8 @@ def _main():
     syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
 
     try:
-        services.knownservices.dirsrv.restart(instance)
+        if services.knownservices.dirsrv.is_running():
+            services.knownservices.dirsrv.restart(instance)
     except Exception as e:
         syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e)))
 
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index 50348d4..d168481 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -29,7 +29,8 @@ def _main():
     syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
     try:
-        services.knownservices.httpd.restart()
+        if services.knownservices.httpd.is_running():
+            services.knownservices.httpd.restart()
     except Exception as e:
         syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 39d43f2..4e8107e 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -166,11 +166,11 @@ class HTTPInstance(service.Service):
         self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
+        self.step("setting up httpd keytab", self._request_service_keytab)
+        self.step("setting up ssl", self.__setup_ssl)
         if self.ca_is_configured:
             self.step("configure certmonger for renewals",
                       self.configure_certmonger_renewal_guard)
-        self.step("setting up httpd keytab", self._request_service_keytab)
-        self.step("setting up ssl", self.__setup_ssl)
         self.step("importing CA certificates from LDAP", self.__import_ca_certs)
         self.step("publish CA cert", self.__publish_ca_cert)
         self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 091992a..b8a46f5 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import errno
 import os
 import pickle
 import shutil
@@ -1118,6 +1119,14 @@ def uninstall(installer):
                           ' # getcert stop-tracking -i <request_id>\n'
                           'for each id in: %s' % ', '.join(ids))
 
+    # Remove the cert renewal lock file
+    try:
+        os.remove(paths.IPA_RENEWAL_LOCK)
+    except OSError as e:
+        if e.errno != errno.ENOENT:
+            root_logger.warning("Failed to remove file %s: %s",
+                                paths.IPA_RENEWAL_LOCK, e)
+
     print("Removing IPA client configuration")
     try:
         result = run([paths.IPA_CLIENT_INSTALL, "--on-master",