|
|
c58629 |
From 6e0720dedc113bf82f3b38f2afb76976ed4e8c12 Mon Sep 17 00:00:00 2001
|
|
|
c58629 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
c58629 |
Date: Wed, 15 Nov 2017 11:59:32 +1100
|
|
|
c58629 |
Subject: [PATCH] Don't use admin cert during KRA installation
|
|
|
c58629 |
|
|
|
c58629 |
KRA installation currently imports the admin cert. FreeIPA does not
|
|
|
c58629 |
track this cert and it may be expired, causing installation to fail.
|
|
|
c58629 |
Do not import the existing admin cert, and discard the new admin
|
|
|
c58629 |
cert that gets created during KRA installation.
|
|
|
c58629 |
|
|
|
c58629 |
Part of: https://pagure.io/freeipa/issue/7287
|
|
|
c58629 |
|
|
|
c58629 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
c58629 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
c58629 |
---
|
|
|
c58629 |
ipaserver/install/krainstance.py | 10 +++++++---
|
|
|
c58629 |
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
c58629 |
|
|
|
c58629 |
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
|
|
|
c58629 |
index cdd25b9d05bcb1a30260475cc2341a258a3cf93c..990bb87ca2f0029d2450cbef47958399f534f2a6 100644
|
|
|
c58629 |
--- a/ipaserver/install/krainstance.py
|
|
|
c58629 |
+++ b/ipaserver/install/krainstance.py
|
|
|
c58629 |
@@ -152,6 +152,10 @@ class KRAInstance(DogtagInstance):
|
|
|
c58629 |
prefix="tmp-", dir=paths.VAR_LIB_IPA)
|
|
|
c58629 |
tmp_agent_pwd = ipautil.ipa_generate_password()
|
|
|
c58629 |
|
|
|
c58629 |
+ # Create a temporary file for the admin PKCS #12 file
|
|
|
c58629 |
+ (admin_p12_fd, admin_p12_file) = tempfile.mkstemp()
|
|
|
c58629 |
+ os.close(admin_p12_fd)
|
|
|
c58629 |
+
|
|
|
c58629 |
# Create KRA configuration
|
|
|
c58629 |
config = ConfigParser()
|
|
|
c58629 |
config.optionxform = str
|
|
|
c58629 |
@@ -186,9 +190,8 @@ class KRAInstance(DogtagInstance):
|
|
|
c58629 |
config.set("KRA", "pki_admin_nickname", "ipa-ca-agent")
|
|
|
c58629 |
config.set("KRA", "pki_admin_subject_dn",
|
|
|
c58629 |
str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
|
|
|
c58629 |
- config.set("KRA", "pki_import_admin_cert", "True")
|
|
|
c58629 |
- config.set("KRA", "pki_admin_cert_file", paths.ADMIN_CERT_PATH)
|
|
|
c58629 |
- config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
|
|
|
c58629 |
+ config.set("KRA", "pki_import_admin_cert", "False")
|
|
|
c58629 |
+ config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file)
|
|
|
c58629 |
|
|
|
c58629 |
# Directory server
|
|
|
c58629 |
config.set("KRA", "pki_ds_ldap_port", "389")
|
|
|
c58629 |
@@ -291,6 +294,7 @@ class KRAInstance(DogtagInstance):
|
|
|
c58629 |
finally:
|
|
|
c58629 |
os.remove(p12_tmpfile_name)
|
|
|
c58629 |
os.remove(cfg_file)
|
|
|
c58629 |
+ os.remove(admin_p12_file)
|
|
|
c58629 |
|
|
|
c58629 |
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
|
|
|
c58629 |
self.log.debug("completed creating KRA instance")
|
|
|
c58629 |
--
|
|
|
c58629 |
2.13.6
|
|
|
c58629 |
|