#9285 ipa-certupdate restarts HTTPd too early
Closed: fixed a year ago by frenaud. Opened a year ago by cheimes.

Issue

The issue is similar to #9269. Apache is configured to use /etc/ipa/ca.crt to provide CA certs for client cert authentication. The ipa-certupdate script restarts Apache HTTPd before it updates /etc/ipa/ca.crt. Therefore Apache does not recognize any new CA cert until it is restarted a second time.

Version/Release/Distribution

ipa-server-4.10.0-6.el9.x86_64
ipa-client-4.10.0-6.el9.x86_64
389-ds-base-2.1.3-4.el9_1.x86_64
package pki-ca is not installed
krb5-server-1.19.1-22.el9.x86_64

Metadata Update from @cheimes:
- Assignee reset

a year ago

Fix: Move restart after update_client(certs).

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6573
- Issue assigned to cheimes

a year ago

master:

  • bb74832 ipa-certupdate: Update client certs before KDC/HTTPd restart

ipa-4-9:

  • f3052c1 ipa-certupdate: Update client certs before KDC/HTTPd restart

ipa-4-10:

  • 8e7d1ac ipa-certupdate: Update client certs before KDC/HTTPd restart

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata