From 6e0720dedc113bf82f3b38f2afb76976ed4e8c12 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 15 Nov 2017 11:59:32 +1100
Subject: [PATCH] Don't use admin cert during KRA installation

KRA installation currently imports the admin cert.  FreeIPA does not
track this cert and it may be expired, causing installation to fail.
Do not import the existing admin cert, and discard the new admin
cert that gets created during KRA installation.

Part of: https://pagure.io/freeipa/issue/7287

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaserver/install/krainstance.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index cdd25b9d05bcb1a30260475cc2341a258a3cf93c..990bb87ca2f0029d2450cbef47958399f534f2a6 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -152,6 +152,10 @@ class KRAInstance(DogtagInstance):
                 prefix="tmp-", dir=paths.VAR_LIB_IPA)
         tmp_agent_pwd = ipautil.ipa_generate_password()
 
+        # Create a temporary file for the admin PKCS #12 file
+        (admin_p12_fd, admin_p12_file) = tempfile.mkstemp()
+        os.close(admin_p12_fd)
+
         # Create KRA configuration
         config = ConfigParser()
         config.optionxform = str
@@ -186,9 +190,8 @@ class KRAInstance(DogtagInstance):
         config.set("KRA", "pki_admin_nickname", "ipa-ca-agent")
         config.set("KRA", "pki_admin_subject_dn",
                    str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
-        config.set("KRA", "pki_import_admin_cert", "True")
-        config.set("KRA", "pki_admin_cert_file", paths.ADMIN_CERT_PATH)
-        config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
+        config.set("KRA", "pki_import_admin_cert", "False")
+        config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file)
 
         # Directory server
         config.set("KRA", "pki_ds_ldap_port", "389")
@@ -291,6 +294,7 @@ class KRAInstance(DogtagInstance):
         finally:
             os.remove(p12_tmpfile_name)
             os.remove(cfg_file)
+            os.remove(admin_p12_file)
 
         shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
         self.log.debug("completed creating KRA instance")
-- 
2.13.6