certmonger can renew a certificate for Apache and 389-ds but those services need to be restarted to see the updated certificate. There is currently no mechanism to do that.
Talk to NSS team about having it recognize that a certificate is updated to automatically reload/re-initialize them.
Should there be an command line parameter for the certmonger to record which service to restart when the cert is renewed?
ipa-getcert ... -restart=foo
And then when the cert is acquired restart the named service? If this is a feature of certmonger it should be reassigned to Nalin.
certmonger upstream BZ: https://bugzilla.redhat.com/show_bug.cgi?id=761188
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=782972
Moving to next month iteration.
Easy to test. Install IPA then resubmit the current server certs and watch the services restart:
# ipa-getcert list
Find the ID for either your dirsrv or httpd instance
# ipa-getcert resubmit -i <ID>
Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors to see the service restart.
attachment freeipa-rcrit-998-certmonger.patch
master: 717bbcd
ipa-2-2: 24cc8d4
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
Login to comment on this ticket.