mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Don't use admin cert during KRA installation
KRA installation currently imports the admin cert. FreeIPA does not track this cert and it may be expired, causing installation to fail. Do not import the existing admin cert, and discard the new admin cert that gets created during KRA installation. Part of: https://pagure.io/freeipa/issue/7287 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
0e9ce73a52
commit
6a8c84718d
@ -153,6 +153,10 @@ class KRAInstance(DogtagInstance):
|
||||
prefix="tmp-", dir=paths.VAR_LIB_IPA)
|
||||
tmp_agent_pwd = ipautil.ipa_generate_password()
|
||||
|
||||
# Create a temporary file for the admin PKCS #12 file
|
||||
(admin_p12_fd, admin_p12_file) = tempfile.mkstemp()
|
||||
os.close(admin_p12_fd)
|
||||
|
||||
# Create KRA configuration
|
||||
config = RawConfigParser()
|
||||
config.optionxform = str
|
||||
@ -187,9 +191,8 @@ class KRAInstance(DogtagInstance):
|
||||
config.set("KRA", "pki_admin_nickname", "ipa-ca-agent")
|
||||
config.set("KRA", "pki_admin_subject_dn",
|
||||
str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
|
||||
config.set("KRA", "pki_import_admin_cert", "True")
|
||||
config.set("KRA", "pki_admin_cert_file", paths.ADMIN_CERT_PATH)
|
||||
config.set("KRA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
|
||||
config.set("KRA", "pki_import_admin_cert", "False")
|
||||
config.set("KRA", "pki_client_admin_cert_p12", admin_p12_file)
|
||||
|
||||
# Directory server
|
||||
config.set("KRA", "pki_ds_ldap_port", "389")
|
||||
@ -294,6 +297,7 @@ class KRAInstance(DogtagInstance):
|
||||
finally:
|
||||
os.remove(p12_tmpfile_name)
|
||||
os.remove(cfg_file)
|
||||
os.remove(admin_p12_file)
|
||||
|
||||
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
|
||||
logger.debug("completed creating KRA instance")
|
||||
|
Loading…
Reference in New Issue
Block a user