c58629
From 6e0720dedc113bf82f3b38f2afb76976ed4e8c12 Mon Sep 17 00:00:00 2001
c58629
From: Fraser Tweedale <ftweedal@redhat.com>
c58629
Date: Wed, 15 Nov 2017 11:59:32 +1100
c58629
Subject: [PATCH] Don't use admin cert during KRA installation
c58629
c58629
KRA installation currently imports the admin cert.  FreeIPA does not
c58629
track this cert and it may be expired, causing installation to fail.
c58629
Do not import the existing admin cert, and discard the new admin
c58629
cert that gets created during KRA installation.
c58629
c58629
Part of: https://pagure.io/freeipa/issue/7287
c58629
c58629
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
c58629
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
c58629
---
c58629
 ipaserver/install/krainstance.py | 10 +++++++---
c58629
 1 file changed, 7 insertions(+), 3 deletions(-)
c58629
c58629
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
c58629
index cdd25b9d05bcb1a30260475cc2341a258a3cf93c..990bb87ca2f0029d2450cbef47958399f534f2a6 100644
c58629
--- a/ipaserver/install/krainstance.py
c58629
+++ b/ipaserver/install/krainstance.py
c58629
@@ -152,6 +152,10 @@ class KRAInstance(DogtagInstance):
c58629
                 prefix="tmp-", dir=paths.VAR_LIB_IPA)
c58629
         tmp_agent_pwd = ipautil.ipa_generate_password()
c58629
 
c58629
+        # Create a temporary file for the admin PKCS #12 file
c58629
+        (admin_p12_fd, admin_p12_file) = tempfile.mkstemp()
c58629
+        os.close(admin_p12_fd)
c58629
+
c58629
         # Create KRA configuration
c58629
         config = ConfigParser()
c58629
         config.optionxform = str
c58629
@@ -186,9 +190,8 @@ class KRAInstance(DogtagInstance):
c58629
         config.set("KRA", "pki_admin_nickname", "ipa-ca-agent")
c58629
         config.set("KRA", "pki_admin_subject_dn",
c58629
                    str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
c58629
-        config.set("KRA", "pki_import_admin_cert", "True")
c58629
-        config.set("KRA", "pki_admin_cert_file", paths.ADMIN_CERT_PATH)
c58629
-        config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
c58629
+        config.set("KRA", "pki_import_admin_cert", "False")
c58629
+        config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file)
c58629
 
c58629
         # Directory server
c58629
         config.set("KRA", "pki_ds_ldap_port", "389")
c58629
@@ -291,6 +294,7 @@ class KRAInstance(DogtagInstance):
c58629
         finally:
c58629
             os.remove(p12_tmpfile_name)
c58629
             os.remove(cfg_file)
c58629
+            os.remove(admin_p12_file)
c58629
 
c58629
         shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
c58629
         self.log.debug("completed creating KRA instance")
c58629
-- 
c58629
2.13.6
c58629