mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 00:31:56 -06:00
Don't generate a cafile on HSM instalations
We don't export the CA certificates on an HSM installation because an HSM won't allow the private keys to leave the HSM, by design. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
cba3094c9a
commit
e6078c639c
@ -386,11 +386,13 @@ def install_step_0(standalone, replica_config, options, custodia):
|
|||||||
ra_only = False
|
ra_only = False
|
||||||
promote = False
|
promote = False
|
||||||
else:
|
else:
|
||||||
|
if not cainstance.hsm_enabled():
|
||||||
cafile = os.path.join(replica_config.dir, 'cacert.p12')
|
cafile = os.path.join(replica_config.dir, 'cacert.p12')
|
||||||
if replica_config.setup_ca:
|
|
||||||
custodia.get_ca_keys(
|
custodia.get_ca_keys(
|
||||||
cafile,
|
cafile,
|
||||||
replica_config.dirman_password)
|
replica_config.dirman_password)
|
||||||
|
else:
|
||||||
|
cafile = None
|
||||||
|
|
||||||
ca_signing_algorithm = None
|
ca_signing_algorithm = None
|
||||||
ca_type = None
|
ca_type = None
|
||||||
|
@ -567,9 +567,13 @@ class CAInstance(DogtagInstance):
|
|||||||
# if paths.TMP_CA_P12 exists and is not owned by root,
|
# if paths.TMP_CA_P12 exists and is not owned by root,
|
||||||
# shutil.copy will fail if when fs.protected_regular=1
|
# shutil.copy will fail if when fs.protected_regular=1
|
||||||
# so remove the file first
|
# so remove the file first
|
||||||
|
if os.path.exists(paths.TMP_CA_P12):
|
||||||
ipautil.remove_file(paths.TMP_CA_P12)
|
ipautil.remove_file(paths.TMP_CA_P12)
|
||||||
shutil.copy(cafile, paths.TMP_CA_P12)
|
shutil.copy(cafile, paths.TMP_CA_P12)
|
||||||
self.service_user.chown(paths.TMP_CA_P12)
|
self.service_user.chown(paths.TMP_CA_P12)
|
||||||
|
clone_pkcs12_path = paths.TMP_CA_P12
|
||||||
|
else:
|
||||||
|
clone_pkcs12_path = None
|
||||||
|
|
||||||
if self.random_serial_numbers:
|
if self.random_serial_numbers:
|
||||||
cfg.update(
|
cfg.update(
|
||||||
@ -587,7 +591,7 @@ class CAInstance(DogtagInstance):
|
|||||||
self._configure_clone(
|
self._configure_clone(
|
||||||
cfg,
|
cfg,
|
||||||
security_domain_hostname=self.master_host,
|
security_domain_hostname=self.master_host,
|
||||||
clone_pkcs12_path=paths.TMP_CA_P12,
|
clone_pkcs12_path=clone_pkcs12_path,
|
||||||
)
|
)
|
||||||
|
|
||||||
# External CA
|
# External CA
|
||||||
|
@ -907,8 +907,6 @@ class DogtagInstance(service.Service):
|
|||||||
pki_security_domain_password=self.admin_password,
|
pki_security_domain_password=self.admin_password,
|
||||||
# Clone
|
# Clone
|
||||||
pki_clone=True,
|
pki_clone=True,
|
||||||
pki_clone_pkcs12_path=clone_pkcs12_path,
|
|
||||||
pki_clone_pkcs12_password=self.dm_password,
|
|
||||||
pki_clone_replication_security="TLS",
|
pki_clone_replication_security="TLS",
|
||||||
pki_clone_replication_master_port=self.master_replication_port,
|
pki_clone_replication_master_port=self.master_replication_port,
|
||||||
pki_clone_replication_clone_port=389,
|
pki_clone_replication_clone_port=389,
|
||||||
@ -916,6 +914,11 @@ class DogtagInstance(service.Service):
|
|||||||
pki_clone_uri="https://%s" % ipautil.format_netloc(
|
pki_clone_uri="https://%s" % ipautil.format_netloc(
|
||||||
self.master_host, 443),
|
self.master_host, 443),
|
||||||
)
|
)
|
||||||
|
if clone_pkcs12_path:
|
||||||
|
subsystem_config.update(
|
||||||
|
pki_clone_pkcs12_path=clone_pkcs12_path,
|
||||||
|
pki_clone_pkcs12_password=self.dm_password,
|
||||||
|
)
|
||||||
|
|
||||||
def _create_spawn_config(self, subsystem_config):
|
def _create_spawn_config(self, subsystem_config):
|
||||||
loader = PKIIniLoader(
|
loader = PKIIniLoader(
|
||||||
|
Loading…
Reference in New Issue
Block a user