rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0020-Don-t-use-admin-cert-during-KRA-installation.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   beb79530f9323f2f183f9fdd6bb4f0de59f4d7d5
  2.   SOURCES
  3.   0020-Don-t-use-admin-cert-during-KRA-installation.patch
Blob History Raw
3f51ca 
From 6e0720dedc113bf82f3b38f2afb76976ed4e8c12 Mon Sep 17 00:00:00 2001
3f51ca 
From: Fraser Tweedale <ftweedal@redhat.com>
3f51ca 
Date: Wed, 15 Nov 2017 11:59:32 +1100
3f51ca 
Subject: [PATCH] Don't use admin cert during KRA installation
3f51ca
3f51ca 
KRA installation currently imports the admin cert.  FreeIPA does not
3f51ca 
track this cert and it may be expired, causing installation to fail.
3f51ca 
Do not import the existing admin cert, and discard the new admin
3f51ca 
cert that gets created during KRA installation.
3f51ca
3f51ca 
Part of: https://pagure.io/freeipa/issue/7287
3f51ca
3f51ca 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
3f51ca 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
3f51ca 
---
3f51ca 
 ipaserver/install/krainstance.py | 10 +++++++---
3f51ca 
 1 file changed, 7 insertions(+), 3 deletions(-)
3f51ca
3f51ca 
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
3f51ca 
index cdd25b9d05bcb1a30260475cc2341a258a3cf93c..990bb87ca2f0029d2450cbef47958399f534f2a6 100644
3f51ca 
--- a/ipaserver/install/krainstance.py
3f51ca 
+++ b/ipaserver/install/krainstance.py
3f51ca 
@@ -152,6 +152,10 @@ class KRAInstance(DogtagInstance):
3f51ca 
                 prefix="tmp-", dir=paths.VAR_LIB_IPA)
3f51ca 
         tmp_agent_pwd = ipautil.ipa_generate_password()
3f51ca
3f51ca 
+        # Create a temporary file for the admin PKCS #12 file
3f51ca 
+        (admin_p12_fd, admin_p12_file) = tempfile.mkstemp()
3f51ca 
+        os.close(admin_p12_fd)
3f51ca 
+
3f51ca 
         # Create KRA configuration
3f51ca 
         config = ConfigParser()
3f51ca 
         config.optionxform = str
3f51ca 
@@ -186,9 +190,8 @@ class KRAInstance(DogtagInstance):
3f51ca 
         config.set("KRA", "pki_admin_nickname", "ipa-ca-agent")
3f51ca 
         config.set("KRA", "pki_admin_subject_dn",
3f51ca 
                    str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
3f51ca 
-        config.set("KRA", "pki_import_admin_cert", "True")
3f51ca 
-        config.set("KRA", "pki_admin_cert_file", paths.ADMIN_CERT_PATH)
3f51ca 
-        config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
3f51ca 
+        config.set("KRA", "pki_import_admin_cert", "False")
3f51ca 
+        config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file)
3f51ca
3f51ca 
         # Directory server
3f51ca 
         config.set("KRA", "pki_ds_ldap_port", "389")
3f51ca 
@@ -291,6 +294,7 @@ class KRAInstance(DogtagInstance):
3f51ca 
         finally:
3f51ca 
             os.remove(p12_tmpfile_name)
3f51ca 
             os.remove(cfg_file)
3f51ca 
+            os.remove(admin_p12_file)
3f51ca
3f51ca 
         shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
3f51ca 
         self.log.debug("completed creating KRA instance")
3f51ca 
--
3f51ca 
2.13.6
3f51ca

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation