diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2015-09-16 09:05:20 +0200 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-10-08 13:42:58 +0200 |
| commit | b035a2a11442c190dc68d9e653b98ef396332c8e (patch) | |
| tree | 54c10b7959d98bd1955e1e70d0905eb0d6b9be76 | |
| parent | 110e85cc74051b02556ca2c43176c9ded40e75aa (diff) | |
| download | freeipa-b035a2a11442c190dc68d9e653b98ef396332c8e.tar.gz freeipa-b035a2a11442c190dc68d9e653b98ef396332c8e.tar.xz freeipa-b035a2a11442c190dc68d9e653b98ef396332c8e.zip | |
install: always export KRA agent PEM file
Export the file even when KRA is not installed locally so that vault commands
work on all IPA replicas.
https://fedorahosted.org/freeipa/ticket/5302
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rw-r--r-- | install/restart_scripts/renew_ra_cert | 3 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 8 | ||||
| -rw-r--r-- | ipaserver/install/krainstance.py | 2 | ||||
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 5 |
4 files changed, 9 insertions, 9 deletions
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 57cfd92ad..cf770a94c 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -61,8 +61,7 @@ def _main(): # Load it into dogtag cainstance.update_people_entry(dercert) - kra = krainstance.KRAInstance(api.env.realm) - if kra.is_installed(): + if api.Command.kra_is_enabled()['result']: krainstance.export_kra_agent_pem() finally: shutil.rmtree(tmpdir) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index f0b3d0c11..17b14b89b 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -64,8 +64,8 @@ from ipaserver.install import certs from ipaserver.install import dsinstance from ipaserver.install import installutils from ipaserver.install import service -from ipaserver.install.dogtaginstance import DogtagInstance -from ipaserver.install.dogtaginstance import PKI_USER, DEFAULT_DSPORT +from ipaserver.install.dogtaginstance import ( + DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance) from ipaserver.plugins import ldap2 # Python 3 rename. The package is available in "six.moves.http_client", but @@ -892,6 +892,8 @@ class CAInstance(DogtagInstance): finally: os.remove(agent_name) + export_kra_agent_pem() + def import_ra_cert(self, rafile): """ Cloned RAs will use the same RA agent cert as the master so we @@ -910,6 +912,8 @@ class CAInstance(DogtagInstance): self.configure_agent_renewal() + export_kra_agent_pem() + def __create_ca_agent(self): """ Create CA agent, assign a certificate, and add the user to diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 8ae9209aa..d65376a52 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -262,8 +262,6 @@ class KRAInstance(DogtagInstance): shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12) - export_kra_agent_pem() - self.log.debug("completed creating KRA instance") def __create_kra_agent(self): diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index d799bfead..5d3972b97 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1258,9 +1258,8 @@ def export_kra_agent_pem(): root_logger.info("KRA agent PEM file already exported") return - kra = krainstance.KRAInstance(api.env.realm) - if not kra.is_installed(): - root_logger.info("KRA is not installed") + if not api.Command.kra_is_enabled()['result']: + root_logger.info("KRA is not enabled") return krainstance.export_kra_agent_pem() |