URL: https://github.com/freeipa/freeipa/pull/1389
Author: tiran
 Title: #1389: [Backport][ipa-4-5] Don't use admin cert during KRA installation
Action: opened

PR body:
This PR was opened automatically because PR #1343 was pushed to master and 
backport to ipa-4-5 is required.

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1389/head:pr1389
git checkout pr1389
From f42a976ddc5f6f4a125679c0a1e8b0f045a8311a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 15 Nov 2017 11:59:32 +1100
Subject: [PATCH] Don't use admin cert during KRA installation

KRA installation currently imports the admin cert.  FreeIPA does not
track this cert and it may be expired, causing installation to fail.
Do not import the existing admin cert, and discard the new admin
cert that gets created during KRA installation.

Part of: https://pagure.io/freeipa/issue/7287

Reviewed-By: Florence Blanc-Renaud <fren...@redhat.com>
 ipaserver/install/krainstance.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index cdd25b9d05..990bb87ca2 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -152,6 +152,10 @@ def __spawn_instance(self):
                 prefix="tmp-", dir=paths.VAR_LIB_IPA)
         tmp_agent_pwd = ipautil.ipa_generate_password()
+        # Create a temporary file for the admin PKCS #12 file
+        (admin_p12_fd, admin_p12_file) = tempfile.mkstemp()
+        os.close(admin_p12_fd)
         # Create KRA configuration
         config = ConfigParser()
         config.optionxform = str
@@ -186,9 +190,8 @@ def __spawn_instance(self):
         config.set("KRA", "pki_admin_nickname", "ipa-ca-agent")
         config.set("KRA", "pki_admin_subject_dn",
                    str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
-        config.set("KRA", "pki_import_admin_cert", "True")
-        config.set("KRA", "pki_admin_cert_file", paths.ADMIN_CERT_PATH)
-        config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
+        config.set("KRA", "pki_import_admin_cert", "False")
+        config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file)
         # Directory server
         config.set("KRA", "pki_ds_ldap_port", "389")
@@ -291,6 +294,7 @@ def __spawn_instance(self):
+            os.remove(admin_p12_file)
         shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
         self.log.debug("completed creating KRA instance")
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to