Various little fixes for CRLS. Its is worth noting that if a CRL

expires before its is replaced in the apache bundle, apache starts to reject all requests (to the rpc server, not https).

Various little fixes for CRLS. Its is worth noting that if a CRL
expires before its is replaced in the apache bundle, apache starts to reject all requests (to the rpc server, not https).
26d9f4f2 · Leigh B. Stoller · 620d0c19 · 26d9f4f2 · 26d9f4f2
Commit 26d9f4f2 authored Jan 09, 2009 by Leigh B. Stoller
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 5 deletions

protogeni/scripts/gencrlbundle.in protogeni/scripts/gencrlbundle.in +19 -4

protogeni/scripts/postcrl.in protogeni/scripts/postcrl.in +2 -1

No files found.
--- a/protogeni/scripts/gencrlbundle.in
+++ b/protogeni/scripts/gencrlbundle.in
 #!/usr/bin/perl -w
 #
 # EMULAB-COPYRIGHT
-# Copyright (c) 2008 University of Utah and the Flux Group.
+# Copyright (c) 2008-2009 University of Utah and the Flux Group.
 # All rights reserved.
 #
 use strict;
@@ -60,6 +60,9 @@ require GeniCertificate;
 require GeniComponent;
 require GeniRegistry;

+# For error log.
+my $errors = 0;
+
 #
 # Check args.
 #
@@ -78,11 +81,19 @@ system("$POSTCRL") >= 0
    or fatal("Could not post our own CRL");

 my $query_result =
-    DBQueryWarn("select cert from geni_crls order by uuid");
+    DBQueryWarn("select cert,uuid, ".
+		" UNIX_TIMESTAMP(expires) < UNIX_TIMESTAMP(now()) as expired ".
+		"from geni_crls ".
+		"order by uuid");

 open(BUNDLE, ">/tmp/crlbundle.$$")
    or fatal("Could not create new CRL bundle file");
-while (my ($cert) = $query_result->fetchrow_array()) {
+while (my ($cert,$uuid,$expired) = $query_result->fetchrow_array()) {
+    if ($expired) {
+	print STDERR "*** CRL for $uuid has expired. Skipping ...\n";
+	$errors++;
+	next;
+    }
    print BUNDLE $cert;
 }
 close(BUNDLE);
@@ -98,9 +109,13 @@ if ($?) {
    
    system("/bin/cp $BUNDLE $WWWBUNDLE") == 0
 	or fatal("Could not copy to $WWWBUNDLE!");
+
+    system("/usr/local/etc/rc.d/apache.sh restart") == 0
+	or fatal("Could not restart apache!");
 }
 # Apache spits out stuff. No errors at this point, nothing to report.
-AuditEnd();
+AuditEnd()
+    if (!$errors);
 exit(0);

 sub fatal($)

--- a/protogeni/scripts/postcrl.in
+++ b/protogeni/scripts/postcrl.in
 #!/usr/bin/perl -w
 #
 # EMULAB-COPYRIGHT
-# Copyright (c) 2008 University of Utah and the Flux Group.
+# Copyright (c) 2008-2009 University of Utah and the Flux Group.
 # All rights reserved.
 #
 use strict;
@@ -80,6 +80,7 @@ system("$GENCRL" . ($force ? " -f" : "")) >= 0
 if ($? >> 8 == 1 && !$force) {
    # No change in the CRL, so do not post it.
    print STDERR "No change in CRL. Not posting.\n";
+    AuditAbort();
    # exit value important; tells caller nothing happened.
    exit(1);
 }