URL: https://github.com/freeipa/freeipa/pull/1389 Author: tiran Title: #1389: [Backport][ipa-4-5] Don't use admin cert during KRA installation Action: opened
PR body: """ This PR was opened automatically because PR #1343 was pushed to master and backport to ipa-4-5 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1389/head:pr1389 git checkout pr1389
From f42a976ddc5f6f4a125679c0a1e8b0f045a8311a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Wed, 15 Nov 2017 11:59:32 +1100 Subject: [PATCH] Don't use admin cert during KRA installation KRA installation currently imports the admin cert. FreeIPA does not track this cert and it may be expired, causing installation to fail. Do not import the existing admin cert, and discard the new admin cert that gets created during KRA installation. Part of: https://pagure.io/freeipa/issue/7287 Reviewed-By: Florence Blanc-Renaud <fren...@redhat.com> --- ipaserver/install/krainstance.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index cdd25b9d05..990bb87ca2 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -152,6 +152,10 @@ def __spawn_instance(self): prefix="tmp-", dir=paths.VAR_LIB_IPA) tmp_agent_pwd = ipautil.ipa_generate_password() + # Create a temporary file for the admin PKCS #12 file + (admin_p12_fd, admin_p12_file) = tempfile.mkstemp() + os.close(admin_p12_fd) + # Create KRA configuration config = ConfigParser() config.optionxform = str @@ -186,9 +190,8 @@ def __spawn_instance(self): config.set("KRA", "pki_admin_nickname", "ipa-ca-agent") config.set("KRA", "pki_admin_subject_dn", str(DN(('cn', 'ipa-ca-agent'), self.subject_base))) - config.set("KRA", "pki_import_admin_cert", "True") - config.set("KRA", "pki_admin_cert_file", paths.ADMIN_CERT_PATH) - config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12) + config.set("KRA", "pki_import_admin_cert", "False") + config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file) # Directory server config.set("KRA", "pki_ds_ldap_port", "389") @@ -291,6 +294,7 @@ def __spawn_instance(self): finally: os.remove(p12_tmpfile_name) os.remove(cfg_file) + os.remove(admin_p12_file) shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12) self.log.debug("completed creating KRA instance")
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org