Don't generate a cafile on HSM instalations

We don't export the CA certificates on an HSM installation
because an HSM won't allow the private keys to leave the
HSM, by design.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2022-09-13 16:01:17 -04:00
parent cba3094c9a
commit e6078c639c
3 changed files with 17 additions and 8 deletions

View File

@ -386,11 +386,13 @@ def install_step_0(standalone, replica_config, options, custodia):
ra_only = False
promote = False
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
if replica_config.setup_ca:
if not cainstance.hsm_enabled():
cafile = os.path.join(replica_config.dir, 'cacert.p12')
custodia.get_ca_keys(
cafile,
replica_config.dirman_password)
else:
cafile = None
ca_signing_algorithm = None
ca_type = None

View File

@ -567,9 +567,13 @@ class CAInstance(DogtagInstance):
# if paths.TMP_CA_P12 exists and is not owned by root,
# shutil.copy will fail if when fs.protected_regular=1
# so remove the file first
ipautil.remove_file(paths.TMP_CA_P12)
shutil.copy(cafile, paths.TMP_CA_P12)
self.service_user.chown(paths.TMP_CA_P12)
if os.path.exists(paths.TMP_CA_P12):
ipautil.remove_file(paths.TMP_CA_P12)
shutil.copy(cafile, paths.TMP_CA_P12)
self.service_user.chown(paths.TMP_CA_P12)
clone_pkcs12_path = paths.TMP_CA_P12
else:
clone_pkcs12_path = None
if self.random_serial_numbers:
cfg.update(
@ -587,7 +591,7 @@ class CAInstance(DogtagInstance):
self._configure_clone(
cfg,
security_domain_hostname=self.master_host,
clone_pkcs12_path=paths.TMP_CA_P12,
clone_pkcs12_path=clone_pkcs12_path,
)
# External CA

View File

@ -907,8 +907,6 @@ class DogtagInstance(service.Service):
pki_security_domain_password=self.admin_password,
# Clone
pki_clone=True,
pki_clone_pkcs12_path=clone_pkcs12_path,
pki_clone_pkcs12_password=self.dm_password,
pki_clone_replication_security="TLS",
pki_clone_replication_master_port=self.master_replication_port,
pki_clone_replication_clone_port=389,
@ -916,6 +914,11 @@ class DogtagInstance(service.Service):
pki_clone_uri="https://%s" % ipautil.format_netloc(
self.master_host, 443),
)
if clone_pkcs12_path:
subsystem_config.update(
pki_clone_pkcs12_path=clone_pkcs12_path,
pki_clone_pkcs12_password=self.dm_password,
)
def _create_spawn_config(self, subsystem_config):
loader = PKIIniLoader(