Restart certmnonger after registering system with IPA
If certmonger is not restarted when the server is registered with IPA, then it may define the IPA CA as unreachable. This results in CA certs not being stored when cert requests are made with a -F option. Eventually, certmonger refreshes itself, but this can take up to 8 hours. We see this sometimes when doing brownfield deploys. The ca cert fails to be created for some requests, resulting in containers being unable to load. We fix this by simply restarting certmonger after enrollment, and avoiding the whole confused state. Change-Id: Id968a2d5170af1485417e41318e0187d79cd4aae
This commit is contained in:
parent
dfd264762f
commit
bf0bc85ef4
|
@ -177,7 +177,18 @@ outputs:
|
|||
|
||||
ipa-client-install $OPTS
|
||||
|
||||
- name: run enrollment script
|
||||
shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
|
||||
args:
|
||||
creates: /etc/ipa/default.conf
|
||||
- name: determine if client is already enrolled
|
||||
stat:
|
||||
path: /etc/ipa/default.conf
|
||||
register: ipa_default_conf
|
||||
|
||||
- block:
|
||||
- name: run enrollment script
|
||||
shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
|
||||
|
||||
- name: restart certmonger service
|
||||
systemd:
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
name: certmonger.service
|
||||
when: ipa_default_conf.stat.exists == False
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
fixes:
|
||||
- Restart certmnonger after registering system with IPA. This
|
||||
prevents cert requests not completely correctly when doing a
|
||||
brownfield update.
|
Loading…
Reference in New Issue