#7048 cert renewal: certmonger/restart_httpd fails on client
Opened 6 years ago by cheimes. Modified 5 years ago

The script /usr/libexec/ipa/certmonger/restart_httpd does not work on an IPA client system:

Jul 06 15:01:22 demo.ipa.example restart_httpd[5228]: Traceback (most recent call last):
                                                        File "/usr/libexec/ipa/certmonger/restart_httpd", line 44, in <module>
                                                          main()
                                                        File "/usr/libexec/ipa/certmonger/restart_httpd", line 39, in main
                                                          with certs.renewal_lock:
                                                        File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 680, in __enter__
                                                          self.acquire()
                                                        File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 686, in acquire
                                                          self._do(self._acquire, owner)
                                                        File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 721, in _do
                                                          with open(self._filename, 'a+') as f:
                                                      IOError: [Errno 2] No such file or directory: '/var/run/ipa/renewal.lock'

The directory /var/run/ipa does not exist on an IPA client system. On a server, the directory is created by a tempfiles.d rule file. The rule file /etc/tmpfiles.d/ipa.conf is only installed ipa-server-install.

Proposed solution:

  • Provide a /usr/lib/tmpfiles.d/ipa.conf in freeipa-client package that always creates /var/run/ipa.
  • Add a second tmpfiles.d rule file (ipa-server.conf?) that creates /var/run/ipa/ccache on demand

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.5.3

6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)

6 years ago

In what use case it is necessary to run /usr/libexec/ipa/certmonger/restart_httpd on client?

AFAIK restart_httpd is configured as Certmonger post_command only for certain IPA certificates only on IPA server.

Metadata Update from @pvoborni:
- Issue set to the milestone: None (was: FreeIPA 4.5.4)

6 years ago

This command is provided by freeipa-server for use by IPA. There was no intention to make it usable otherwise.

That said, there is also no need for a renewal lock on clients so perhaps a test for existence of /var/run/ipa is sufficient. No locking in that case.

Yep, I'd agree on improving the script to test on the /var/run/ipa existence.

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

6 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

@cheimes this seems to call for using nullcontext() from python 3.7. What would you suggest?

I considered changing the renewal_lock import to import separately, rather than importing all of certs.

Then if we do a try/except with an ImportError on the except we can do renewal_lock = nullcontext() and change nothing else in the file.

The question is: where do we get nullcontext? Backport from 3.7 into this file? Do an even more complex where we add an add'l try/except to use the one from 3.7 when that version is available and fall back to our local version?

Or I guess we could put it into some ipaclient file and do the import/fallback there.

Login to comment on this ticket.

Metadata