mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
Don't generate a cafile on HSM instalations
We don't export the CA certificates on an HSM installation because an HSM won't allow the private keys to leave the HSM, by design. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
cba3094c9a
commit
e6078c639c
@ -386,11 +386,13 @@ def install_step_0(standalone, replica_config, options, custodia):
|
||||
ra_only = False
|
||||
promote = False
|
||||
else:
|
||||
cafile = os.path.join(replica_config.dir, 'cacert.p12')
|
||||
if replica_config.setup_ca:
|
||||
if not cainstance.hsm_enabled():
|
||||
cafile = os.path.join(replica_config.dir, 'cacert.p12')
|
||||
custodia.get_ca_keys(
|
||||
cafile,
|
||||
replica_config.dirman_password)
|
||||
else:
|
||||
cafile = None
|
||||
|
||||
ca_signing_algorithm = None
|
||||
ca_type = None
|
||||
|
@ -567,9 +567,13 @@ class CAInstance(DogtagInstance):
|
||||
# if paths.TMP_CA_P12 exists and is not owned by root,
|
||||
# shutil.copy will fail if when fs.protected_regular=1
|
||||
# so remove the file first
|
||||
ipautil.remove_file(paths.TMP_CA_P12)
|
||||
shutil.copy(cafile, paths.TMP_CA_P12)
|
||||
self.service_user.chown(paths.TMP_CA_P12)
|
||||
if os.path.exists(paths.TMP_CA_P12):
|
||||
ipautil.remove_file(paths.TMP_CA_P12)
|
||||
shutil.copy(cafile, paths.TMP_CA_P12)
|
||||
self.service_user.chown(paths.TMP_CA_P12)
|
||||
clone_pkcs12_path = paths.TMP_CA_P12
|
||||
else:
|
||||
clone_pkcs12_path = None
|
||||
|
||||
if self.random_serial_numbers:
|
||||
cfg.update(
|
||||
@ -587,7 +591,7 @@ class CAInstance(DogtagInstance):
|
||||
self._configure_clone(
|
||||
cfg,
|
||||
security_domain_hostname=self.master_host,
|
||||
clone_pkcs12_path=paths.TMP_CA_P12,
|
||||
clone_pkcs12_path=clone_pkcs12_path,
|
||||
)
|
||||
|
||||
# External CA
|
||||
|
@ -907,8 +907,6 @@ class DogtagInstance(service.Service):
|
||||
pki_security_domain_password=self.admin_password,
|
||||
# Clone
|
||||
pki_clone=True,
|
||||
pki_clone_pkcs12_path=clone_pkcs12_path,
|
||||
pki_clone_pkcs12_password=self.dm_password,
|
||||
pki_clone_replication_security="TLS",
|
||||
pki_clone_replication_master_port=self.master_replication_port,
|
||||
pki_clone_replication_clone_port=389,
|
||||
@ -916,6 +914,11 @@ class DogtagInstance(service.Service):
|
||||
pki_clone_uri="https://%s" % ipautil.format_netloc(
|
||||
self.master_host, 443),
|
||||
)
|
||||
if clone_pkcs12_path:
|
||||
subsystem_config.update(
|
||||
pki_clone_pkcs12_path=clone_pkcs12_path,
|
||||
pki_clone_pkcs12_password=self.dm_password,
|
||||
)
|
||||
|
||||
def _create_spawn_config(self, subsystem_config):
|
||||
loader = PKIIniLoader(
|
||||
|
Loading…
Reference in New Issue
Block a user