761188 – RFE: provide a command/signal for certmonger to send after renewing cert

Bug 761188 - RFE: provide a command/signal for certmonger to send after renewing cert

Summary: RFE: provide a command/signal for certmonger to send after renewing cert

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	certmonger
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	766167
TreeView+	depends on / blocked

Reported:	2011-12-07 20:35 UTC by Rob Crittenden
Modified:	2012-03-21 22:58 UTC (History)
CC List:	3 users (show)
Fixed In Version:	certmonger-0.56-1.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	766167 (view as bug list)
Environment:
Last Closed:	2012-03-21 22:58:26 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Rob Crittenden 2011-12-07 20:35:33 UTC

Description of problem:

certmonger renews certificates just fine but in most, if not all, cases the server it renews a cert for will need to be restarted in order to see it.

It would be handy if one could provide a command (or signal) for certmonger to send after successfully renewing a cert.

For example, it could run: /sbin/service httpd reload

This might raise some existential security questions, particularly with SELinux.

Comment 1 Nalin Dahyabhai 2011-12-07 21:45:26 UTC

Emitting a signal is more common for services, and doesn't require any additional privileges to be granted in the SELinux policy.

Comment 2 Nalin Dahyabhai 2011-12-08 22:18:44 UTC

If we implement properties, and one of them reflects the contents of the certificate associated with a given request, then the client can wait for a signal that the contents of that property have changed to a non-empty value.

Comment 3 Nalin Dahyabhai 2012-03-21 22:58:26 UTC

Commands can be specified using the new -C flag when running getcert, and the service now emits a SavedCertificate signal on the request when the certificate is saved to the specified location.  Note that certmonger needs sufficient privileges granted to it in the SELinux policy to run the specified command.

Note You need to log in before you can comment on or make changes to this bug.