Don't generate a cafile on HSM instalations

We don't export the CA certificates on an HSM installation
because an HSM won't allow the private keys to leave the
HSM, by design.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2022-09-13 16:01:17 -04:00
parent cba3094c9a
commit e6078c639c
3 changed files with 17 additions and 8 deletions

View File

@ -386,11 +386,13 @@ def install_step_0(standalone, replica_config, options, custodia):
ra_only = False ra_only = False
promote = False promote = False
else: else:
if not cainstance.hsm_enabled():
cafile = os.path.join(replica_config.dir, 'cacert.p12') cafile = os.path.join(replica_config.dir, 'cacert.p12')
if replica_config.setup_ca:
custodia.get_ca_keys( custodia.get_ca_keys(
cafile, cafile,
replica_config.dirman_password) replica_config.dirman_password)
else:
cafile = None
ca_signing_algorithm = None ca_signing_algorithm = None
ca_type = None ca_type = None

View File

@ -567,9 +567,13 @@ class CAInstance(DogtagInstance):
# if paths.TMP_CA_P12 exists and is not owned by root, # if paths.TMP_CA_P12 exists and is not owned by root,
# shutil.copy will fail if when fs.protected_regular=1 # shutil.copy will fail if when fs.protected_regular=1
# so remove the file first # so remove the file first
if os.path.exists(paths.TMP_CA_P12):
ipautil.remove_file(paths.TMP_CA_P12) ipautil.remove_file(paths.TMP_CA_P12)
shutil.copy(cafile, paths.TMP_CA_P12) shutil.copy(cafile, paths.TMP_CA_P12)
self.service_user.chown(paths.TMP_CA_P12) self.service_user.chown(paths.TMP_CA_P12)
clone_pkcs12_path = paths.TMP_CA_P12
else:
clone_pkcs12_path = None
if self.random_serial_numbers: if self.random_serial_numbers:
cfg.update( cfg.update(
@ -587,7 +591,7 @@ class CAInstance(DogtagInstance):
self._configure_clone( self._configure_clone(
cfg, cfg,
security_domain_hostname=self.master_host, security_domain_hostname=self.master_host,
clone_pkcs12_path=paths.TMP_CA_P12, clone_pkcs12_path=clone_pkcs12_path,
) )
# External CA # External CA

View File

@ -907,8 +907,6 @@ class DogtagInstance(service.Service):
pki_security_domain_password=self.admin_password, pki_security_domain_password=self.admin_password,
# Clone # Clone
pki_clone=True, pki_clone=True,
pki_clone_pkcs12_path=clone_pkcs12_path,
pki_clone_pkcs12_password=self.dm_password,
pki_clone_replication_security="TLS", pki_clone_replication_security="TLS",
pki_clone_replication_master_port=self.master_replication_port, pki_clone_replication_master_port=self.master_replication_port,
pki_clone_replication_clone_port=389, pki_clone_replication_clone_port=389,
@ -916,6 +914,11 @@ class DogtagInstance(service.Service):
pki_clone_uri="https://%s" % ipautil.format_netloc( pki_clone_uri="https://%s" % ipautil.format_netloc(
self.master_host, 443), self.master_host, 443),
) )
if clone_pkcs12_path:
subsystem_config.update(
pki_clone_pkcs12_path=clone_pkcs12_path,
pki_clone_pkcs12_password=self.dm_password,
)
def _create_spawn_config(self, subsystem_config): def _create_spawn_config(self, subsystem_config):
loader = PKIIniLoader( loader = PKIIniLoader(