Restart certmnonger after registering system with IPA
If certmonger is not restarted when the server is registered with
IPA, then it may define the IPA CA as unreachable. This results
in CA certs not being stored when cert requests are made with a -F
option. Eventually, certmonger refreshes itself, but this can
take up to 8 hours.
We see this sometimes when doing brownfield deploys. The ca cert
fails to be created for some requests, resulting in containers
being unable to load.
We fix this by simply restarting certmonger after enrollment, and
avoiding the whole confused state.
Closes-Bug: 1850647
Change-Id: Id968a2d5170af1485417e41318e0187d79cd4aae
(cherry picked from commit bf0bc85ef4
)
This commit is contained in:
parent
5c365429f2
commit
5eb01c517f
@ -177,7 +177,18 @@ outputs:
|
|||||||
|
|
||||||
ipa-client-install $OPTS
|
ipa-client-install $OPTS
|
||||||
|
|
||||||
|
- name: determine if client is already enrolled
|
||||||
|
stat:
|
||||||
|
path: /etc/ipa/default.conf
|
||||||
|
register: ipa_default_conf
|
||||||
|
|
||||||
|
- block:
|
||||||
- name: run enrollment script
|
- name: run enrollment script
|
||||||
shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
|
shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
|
||||||
args:
|
|
||||||
creates: /etc/ipa/default.conf
|
- name: restart certmonger service
|
||||||
|
systemd:
|
||||||
|
state: restarted
|
||||||
|
daemon_reload: true
|
||||||
|
name: certmonger.service
|
||||||
|
when: ipa_default_conf.stat.exists == False
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- Restart certmnonger after registering system with IPA. This
|
||||||
|
prevents cert requests not completely correctly when doing a
|
||||||
|
brownfield update.
|
Loading…
Reference in New Issue
Block a user