[Freeipa-devel] [PATCH 0376] KRA: add RA cert during replica promotion

Thu, 10 Dec 2015 10:43:13 -0800 

https://fedorahosted.org/freeipa/ticket/5512

patch attached.

From 75b69aee3e3911cdf66c0d6dd40c49fd0da61492 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 10 Dec 2015 13:46:07 +0100
Subject: [PATCH] Install RA cert during replica promotion

This cert is needed with KRA to be able store and retrieve secrets.

https://fedorahosted.org/freeipa/ticket/5512
---
 ipaserver/install/cainstance.py            | 4 ----
 ipaserver/install/server/replicainstall.py | 8 ++++++++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 56ec3fe74e8d4adfe17f46a62f705021f6a81f75..99582b5e0d33afc1c97a8e5067a3a10498651869 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1335,12 +1335,8 @@ class CAInstance(DogtagInstance):
         self.step("setting audit signing renewal to 2 years",
                   self.set_audit_renewal)
 
-        self.step("configure certmonger for renewals",
-                  self.configure_certmonger_renewal)
         self.step("configure certificate renewals",
                   self.configure_renewal)
-        self.step("configure RA certificate renewal",
-                  self.configure_agent_renewal)
         self.step("configure Server-Cert certificate renewal",
                   self.track_servercert)
         self.step("Configure HTTP to proxy connections",
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 4f239aacd50ab8692830a6f4505c66ba9b1518b2..bd2de16fc4a0ff5a050eebd942682e13de0b1583 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1282,6 +1282,14 @@ def promote(installer):
                                                  installer._ca_enabled)
     custodia.create_replica(config.master_host_name)
 
+    if installer._ca_enabled:
+        CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
+
+        CA.configure_certmonger_renewal()
+        CA.configure_agent_renewal()
+        cainstance.export_kra_agent_pem()
+        CA.fix_ra_perms()
+
     krb = install_krb(config,
                       setup_pkinit=not options.no_pkinit,
                       promote=True)
-- 
2.5.0


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to