Only generate kracert.p12 when not installing with HSM

The private keys are not retrievable from an HSM by design so don't try during KRA install. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-10-17 17:20:51 -04:00 · 2022-10-17 17:20:51 -04:00 · 73d52a6135
commit 73d52a6135
parent 34f28f06db
2 changed files with 22 additions and 14 deletions
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@ -74,16 +74,19 @@ def install(api, replica_config, options, custodia):
    else:
        if not replica_config.setup_kra:
            return
-        krafile = os.path.join(replica_config.dir, 'kracert.p12')
-        with ipautil.private_ccache():
-            ccache = os.environ['KRB5CCNAME']
-            kinit_keytab(
-                'host/{env.host}@{env.realm}'.format(env=api.env),
-                paths.KRB5_KEYTAB,
-                ccache)
-            custodia.get_kra_keys(
-                krafile,
-                replica_config.dirman_password)
+        if cainstance.hsm_enabled():
+            krafile = os.path.join(replica_config.dir, 'kracert.p12')
+            with ipautil.private_ccache():
+                ccache = os.environ['KRB5CCNAME']
+                kinit_keytab(
+                    'host/{env.host}@{env.realm}'.format(env=api.env),
+                    paths.KRB5_KEYTAB,
+                    ccache)
+                custodia.get_kra_keys(
+                    krafile,
+                    replica_config.dirman_password)
+        else:
+            krafile = None

        realm_name = replica_config.realm_name
        dm_password = replica_config.dirman_password
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@ -181,12 +181,16 @@ class KRAInstance(DogtagInstance):
        else:
            pki_pin = None

-        _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
+        p12_tmpfile_name = None

        if self.clone:
            krafile = self.pkcs12_info[0]
-            shutil.copy(krafile, p12_tmpfile_name)
-            self.service_user.chown(p12_tmpfile_name)
+            if krafile:
+                _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(
+                    dir=paths.TMP
+                )
+                shutil.copy(krafile, p12_tmpfile_name)
+                self.service_user.chown(p12_tmpfile_name)

            self._configure_clone(
                cfg,
@ -225,7 +229,8 @@ class KRAInstance(DogtagInstance):
                nolog_list=nolog_list
            )
        finally:
-            os.remove(p12_tmpfile_name)
+            if p12_tmpfile_name:
+                os.remove(p12_tmpfile_name)
            os.remove(cfg_file)
            os.remove(admin_p12_file)