From d644d5533a7ccf61cc557f8fe8a5ee1d93bc19fd Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Wed, 16 Sep 2015 09:05:20 +0200

Subject: [PATCH] install: always export KRA agent PEM file

Export the file even when KRA is not installed locally so that vault commands

work on all IPA replicas.

https://fedorahosted.org/freeipa/ticket/5302

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

 install/restart_scripts/renew_ra_cert | 3 +--

 ipaserver/install/cainstance.py       | 8 ++++++--

 ipaserver/install/krainstance.py      | 2 --

 ipaserver/install/server/upgrade.py   | 5 ++---

 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert

index 8a6bf3f7c1081db9710cf29e0f8e5f705d920b72..3a36f739ae53391e502356f7b6b4fd96a536c3a6 100644

--- a/install/restart_scripts/renew_ra_cert

+++ b/install/restart_scripts/renew_ra_cert

@@ -61,8 +61,7 @@ def _main():

             # Load it into dogtag

             cainstance.update_people_entry(dercert)

-        kra = krainstance.KRAInstance(api.env.realm)

-        if kra.is_installed():

+        if api.Command.kra_is_enabled()['result']:

             krainstance.export_kra_agent_pem()

     finally:

         shutil.rmtree(tmpdir)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py

index a4504a35a42b8c8ea2a96738c82c546ebebf569f..dfe023c08c9b8d1b28f1659b7c5a6395f3afe879 100644

--- a/ipaserver/install/cainstance.py

+++ b/ipaserver/install/cainstance.py

@@ -62,8 +62,8 @@ from ipaserver.install import certs

 from ipaserver.install import dsinstance

 from ipaserver.install import installutils

 from ipaserver.install import service

-from ipaserver.install.dogtaginstance import DogtagInstance

-from ipaserver.install.dogtaginstance import PKI_USER, DEFAULT_DSPORT

+from ipaserver.install.dogtaginstance import (

+    DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance)

 from ipaserver.plugins import ldap2

@@ -885,6 +885,8 @@ class CAInstance(DogtagInstance):

         finally:

             os.remove(agent_name)

+        export_kra_agent_pem()

+

     def import_ra_cert(self, rafile):

         """

         Cloned RAs will use the same RA agent cert as the master so we

@@ -903,6 +905,8 @@ class CAInstance(DogtagInstance):

         self.configure_agent_renewal()

+        export_kra_agent_pem()

+

     def __create_ca_agent(self):

         """

         Create CA agent, assign a certificate, and add the user to

diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py

index 0000192745b6d7f9f402267e435f7223f1bf8849..69fe636732e6d3a8c1e0c460b641f061e519df92 100644

--- a/ipaserver/install/krainstance.py

+++ b/ipaserver/install/krainstance.py

@@ -262,8 +262,6 @@ class KRAInstance(DogtagInstance):

         shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)

-        export_kra_agent_pem()

-

         self.log.debug("completed creating KRA instance")

     def __create_kra_agent(self):

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index ab08c62352c0e5cf145f299e7727886b2f295037..51a2dd3d0e3693c12f11579a84175c7719651da9 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -1252,9 +1252,8 @@ def export_kra_agent_pem():

         root_logger.info("KRA agent PEM file already exported")

         return

-    kra = krainstance.KRAInstance(api.env.realm)

-    if not kra.is_installed():

-        root_logger.info("KRA is not installed")

+    if not api.Command.kra_is_enabled()['result']:

+        root_logger.info("KRA is not enabled")

         return

     krainstance.export_kra_agent_pem()

-- 

2.4.3