This is a follow up to #4064. When testing CA renewal on a clone, I found out it does not start CA back after a certificate was renewed:
# getcert resubmit -i 20140106205541 Resubmitting "20140106205541" to "dogtag-ipa-retrieve-agent-submit". # getcert list -i 20140106205541 Number of certificates and requests being tracked: 7. Request ID '20140106205541': status: MONITORING ... # systemctl status pki-tomcatd@pki-tomcat.service pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled) Active: inactive (dead) since Mon 2014-01-06 16:27:31 EST; 27s ago Process: 13802 ExecStop=/usr/bin/pkidaemon stop tomcat %i (code=exited, status=0/SUCCESS) Process: 13523 ExecStart=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS) Main PID: 13689 (code=exited, status=143) Jan 06 16:25:57 vm-057.idm.lab.bos.redhat.com systemd[1]: Starting PKI Tomcat Server pki-tomcat... Jan 06 16:26:02 vm-057.idm.lab.bos.redhat.com systemd[1]: Started PKI Tomcat Server pki-tomcat. Jan 06 16:27:30 vm-057.idm.lab.bos.redhat.com systemd[1]: Stopping PKI Tomcat Server pki-tomcat... Jan 06 16:27:31 vm-057.idm.lab.bos.redhat.com systemd[1]: Stopped PKI Tomcat Server pki-tomcat.
I found out that the issue was in broken restart script:
# /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" Traceback (most recent call last): File "/usr/lib64/ipa/certmonger/restart_pkicad", line 42, in <module> if ipaservices.knownservices.pki_cad.is_running(dogtag_instance): File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 169, in __getattr__ raise AttributeError('no magic attribute %r' % name) AttributeError: no magic attribute 'pki_cad'
I only reproduced it on Dogtag10-based environments.
Reproducer:
On IPA server, resubmit some of the CA subsystem certificates, for example audit cert:
On IPA server, wait until the certificate is generated and status is back to MONITORING with:
On IPA replica we will try to force renewal of this certificate. Run:
On IPA replica, wait until the certificate is renewed and status is back to MONITORING with:
The new certificate should be now updated, see
PKI service should be running (was not before the patch)
attachment freeipa-mkosek-444-pki-service-restart-after-ca-renewal-failed.patch
Patch freeipa-mkosek-444-pki-service-restart-after-ca-renewal-failed.patch sent for review
master: 911f5e9[[BR]] ipa-3-3: edccf59
Accidental file permission change introduced by previous patch was fixed:
master: 554d43d[[BR]] ipa-3-3: 2273ff1
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.3.x - 2014/01 (bug fixing)
Login to comment on this ticket.