install: request service certs after host keytab is set up #698
Conversation
DS is restarted by certmonger in the restart_dirsrv script after the DS certificate is saved. This breaks the ldap2 backend and makes any operation fail with NetworkError until it is reconnected. Reconnect ldap2 after the DS certificate request is finished to fix the issue. Make sure restart_dirsrv waits for the ldapi socket so that the reconnect does not fail. https://pagure.io/freeipa/issue/6757
httpd is restarted by certmonger in the restart_httpd script after the httpd certificate is saved if it was previously running. The restart will fail because httpd is not properly configured at this point. Stop httpd at the beginning of httpd install to avoid the restart. https://pagure.io/freeipa/issue/6757
A different code path is used for DS and httpd certificate requests in replica promotion. This is rather unnecessary and makes the certificate request code not easy to follow. Consolidate the non-promotion and promotion code paths into one. https://pagure.io/freeipa/issue/6757
The certmonger renew agent and restart scripts use host keytab for authentication. When they are executed during a certmonger request before the host keytab is set up, the authentication will fail. Make sure all certmonger requests in the installer are done after the host keytab is set up. https://pagure.io/freeipa/issue/6757
Fixes an issue where the renew agent uses GSSAPI for LDAP connection but fails because it is not authenticated. This reverts commit 7462ade. https://pagure.io/freeipa/issue/6757
Connect to LDAP after kinit is done, otherwise GSSAPI authentication will fail. https://pagure.io/freeipa/issue/6757
|
master:
|
dsinstance: reconnect ldap2 after DS is restarted by certmonger
DS is restarted by certmonger in the restart_dirsrv script after the DS
certificate is saved. This breaks the ldap2 backend and makes any operation
fail with NetworkError until it is reconnected.
Reconnect ldap2 after the DS certificate request is finished to fix the
issue. Make sure restart_dirsrv waits for the ldapi socket so that the
reconnect does not fail.
httpinstance: avoid httpd restart during certificate request
httpd is restarted by certmonger in the restart_httpd script after the
httpd certificate is saved if it was previously running. The restart will
fail because httpd is not properly configured at this point.
Stop httpd at the beginning of httpd install to avoid the restart.
dsinstance, httpinstance: consolidate certificate request code
A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.
Consolidate the non-promotion and promotion code paths into one.
install: request service certs after host keytab is set up
The certmonger renew agent and restart scripts use host keytab for
authentication. When they are executed during a certmonger request before
the host keytab is set up, the authentication will fail.
Make sure all certmonger requests in the installer are done after the host
keytab is set up.
renew agent: revert to host keytab authentication
Fixes an issue where the renew agent uses GSSAPI for LDAP connection but
fails because it is not authenticated.
This reverts commit 7462ade.
renew agent, restart scripts: connect to LDAP after kinit
Connect to LDAP after kinit is done, otherwise GSSAPI authentication will
fail.
https://pagure.io/freeipa/issue/6757