From 4ff6e35c282a344eb736ab8d18b28e9e3eaecbc6 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 19 Jun 2024 16:41:05 +0200 Subject: [PATCH 1/4] ipaserver: Set hsm attributes to None for now The HSM parameters token_name token_library_path token_password token_password_file are set to None to enable deployment with IPA 4.12 as a workaround till HSM can be fully supported by the ipaserver role. --- roles/ipaserver/library/ipaserver_prepare.py | 6 ++++++ roles/ipaserver/library/ipaserver_setup_ca.py | 6 ++++++ roles/ipaserver/library/ipaserver_setup_kra.py | 8 +++++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py index 1c791756..24eccf23 100644 --- a/roles/ipaserver/library/ipaserver_prepare.py +++ b/roles/ipaserver/library/ipaserver_prepare.py @@ -326,6 +326,12 @@ def main(): # ssl certificate # options.dirsrv_cert_files = ansible_module.params.get( # 'dirsrv_cert_files') + # hsm + if hasattr(ca, "hsm_version"): + options.token_name = None + options.token_library_path = None + options.token_password = None + options.token_password_file = None # client # options.no_ntp = ansible_module.params.get('no_ntp') # certificate system diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py index 4003e14d..1a453e49 100644 --- a/roles/ipaserver/library/ipaserver_setup_ca.py +++ b/roles/ipaserver/library/ipaserver_setup_ca.py @@ -305,6 +305,12 @@ def main(): options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files') options._dirsrv_pkcs12_info = ansible_module.params.get( '_dirsrv_pkcs12_info') + # hsm + if hasattr(ca, "hsm_version"): + options.token_name = None + options.token_library_path = None + options.token_password = None + options.token_password_file = None # certificate system options.external_ca = ansible_module.params.get('external_ca') options.external_ca_type = ansible_module.params.get('external_ca_type') diff --git a/roles/ipaserver/library/ipaserver_setup_kra.py b/roles/ipaserver/library/ipaserver_setup_kra.py index 9f05ef5a..4ea9aa6e 100644 --- a/roles/ipaserver/library/ipaserver_setup_kra.py +++ b/roles/ipaserver/library/ipaserver_setup_kra.py @@ -74,7 +74,7 @@ RETURN = ''' from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ansible_ipa_server import ( check_imports, AnsibleModuleLog, setup_logging, options, - api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra + api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra, ca ) @@ -106,6 +106,12 @@ def main(): options.pki_config_override = ansible_module.params.get( 'pki_config_override') options.promote = False # first master, no promotion + # hsm + if hasattr(ca, "hsm_version"): + options.token_name = None + options.token_library_path = None + options.token_password = None + options.token_password_file = None # init ########################################################## From 127d758100946c6d604c65fd868ba97aacdbefb5 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Wed, 19 Jun 2024 16:36:45 +0200 Subject: [PATCH 2/4] ipareplica_install_ca_certs: Do not return unchanged config attributes The config attributes config_master_host_name and also config_ca_host_name are not changed within ipareplica_install_ca_certs, therefore it is not needed to return them and also to use the returned values for following tasks. --- .../library/ipareplica_install_ca_certs.py | 4 +-- roles/ipareplica/tasks/install.yml | 28 +++++++++---------- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/roles/ipareplica/library/ipareplica_install_ca_certs.py b/roles/ipareplica/library/ipareplica_install_ca_certs.py index b6d42d6a..db0fb54a 100644 --- a/roles/ipareplica/library/ipareplica_install_ca_certs.py +++ b/roles/ipareplica/library/ipareplica_install_ca_certs.py @@ -333,9 +333,7 @@ def main(): # done # - ansible_module.exit_json(changed=True, - config_master_host_name=config.master_host_name, - config_ca_host_name=config.ca_host_name) + ansible_module.exit_json(changed=True) if __name__ == '__main__': diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index 03407373..fe63879c 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -312,7 +312,7 @@ dirman_password: "{{ __derived_dirman_password }}" config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}" config_ips: "{{ result_ipareplica_prepare.config_ips }}" register: result_ipareplica_setup_ds @@ -339,7 +339,7 @@ ### additional ### server: "{{ result_ipareplica_test.server }}" config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}" @@ -362,7 +362,7 @@ subject_base: "{{ result_ipareplica_prepare.subject_base }}" ### additional ### config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" @@ -393,7 +393,7 @@ ### additional ### server: "{{ result_ipareplica_test.server }}" config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}" @@ -406,7 +406,7 @@ dirman_password: "{{ __derived_dirman_password }}" setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" master: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" when: result_ipareplica_test.change_master_for_certmonger - name: Install - DS enable SSL @@ -420,7 +420,7 @@ subject_base: "{{ result_ipareplica_prepare.subject_base }}" ### additional ### config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" @@ -441,7 +441,7 @@ subject_base: "{{ result_ipareplica_prepare.subject_base }}" ### additional ### config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" @@ -473,7 +473,7 @@ ### additional ### server: "{{ result_ipareplica_test.server }}" config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}" @@ -498,7 +498,7 @@ subject_base: "{{ result_ipareplica_prepare.subject_base }}" ### additional ### config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" @@ -549,9 +549,9 @@ dirman_password: "{{ __derived_dirman_password }}" config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" config_ca_host_name: - "{{ result_ipareplica_install_ca_certs.config_ca_host_name }}" + "{{ result_ipareplica_prepare.config_ca_host_name }}" config_ips: "{{ result_ipareplica_prepare.config_ips }}" when: result_ipareplica_prepare._ca_enabled @@ -565,7 +565,7 @@ subject_base: "{{ result_ipareplica_prepare.subject_base }}" ### additional ### config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" @@ -585,7 +585,7 @@ subject_base: "{{ result_ipareplica_prepare.subject_base }}" ### additional ### config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" @@ -645,7 +645,7 @@ subject_base: "{{ result_ipareplica_prepare.subject_base }}" ### additional ### config_master_host_name: - "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + "{{ result_ipareplica_prepare.config_master_host_name }}" ccache: "{{ result_ipareplica_prepare.ccache }}" _ca_file: "{{ result_ipareplica_prepare._ca_file }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" From 07d91e02d18caef51a34a3c86ffb5b1b2af7c88a Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 20 Jun 2024 15:08:02 +0200 Subject: [PATCH 3/4] ipareplica: Refactor CA file handling replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is called instead if the client was configured before deploying with iparepica role. FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d Refactor CA file handling in replica installer Clean up and remove obsolete code from ipa-replica-install. For several versions replica installer first ensures that a host is an IPA client, then promotes the client to a replica. The client installer code sets up CA stores like IPA_CA_CRT already. --- .../ipareplica/library/ipareplica_prepare.py | 27 +++++++++++++++---- roles/ipareplica/library/ipareplica_test.py | 5 ++-- .../module_utils/ansible_ipa_replica.py | 7 ++++- roles/ipareplica/tasks/install.yml | 2 ++ 4 files changed, 33 insertions(+), 8 deletions(-) diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py index 63f1dcbd..d4464a93 100644 --- a/roles/ipareplica/library/ipareplica_prepare.py +++ b/roles/ipareplica/library/ipareplica_prepare.py @@ -250,6 +250,10 @@ options: type: bool default: no required: no + client_configured: + description: Was client configured already + type: bool + required: yes author: - Thomas Woerner (@t-woerner) ''' @@ -275,7 +279,8 @@ from ansible.module_utils.ansible_ipa_replica import ( check_domain_level_is_supported, errors, ScriptError, setup_logging, logger, check_dns_resolution, service, find_providing_server, ca, kra, dns, no_matching_interface_for_ip_address_warning, adtrust, - constants, api, redirect_stdout, replica_conn_check, tasks + constants, api, redirect_stdout, replica_conn_check, tasks, + install_ca_cert ) from ansible.module_utils import six @@ -353,6 +358,7 @@ def main(): skip_conncheck=dict(required=False, type='bool'), sid_generation_always=dict(required=False, type='bool', default=False), + ipa_client_installed=dict(required=True, type='bool'), ), supports_check_mode=False, ) @@ -436,6 +442,7 @@ def main(): # options._random_serial_numbers is generated by ca.install_check and # later used by ca.install in the _setup_ca module. options._random_serial_numbers = False + ipa_client_installed = ansible_module.params.get('ipa_client_installed') # init # @@ -601,10 +608,20 @@ def main(): ansible_log.debug("-- CA_CRT --") cafile = paths.IPA_CA_CRT - if not os.path.isfile(cafile): - ansible_module.fail_json( - msg="CA cert file is not available! Please reinstall" - "the client and try again.") + if install_ca_cert is not None: + if not os.path.isfile(cafile): + ansible_module.fail_json( + msg="CA cert file is not available! Please reinstall" + "the client and try again.") + else: + if ipa_client_installed: + # host was already an IPA client, refresh client cert stores to + # ensure we have up to date CA certs. + try: + ipautil.run([paths.IPA_CERTUPDATE]) + except ipautil.CalledProcessError: + ansible_module.fail_json( + msg="ipa-certupdate failed to refresh certs.") ansible_log.debug("-- REMOTE_API --") diff --git a/roles/ipareplica/library/ipareplica_test.py b/roles/ipareplica/library/ipareplica_test.py index 95bd7e32..fabb52aa 100644 --- a/roles/ipareplica/library/ipareplica_test.py +++ b/roles/ipareplica/library/ipareplica_test.py @@ -191,7 +191,7 @@ from ansible.module_utils.ansible_ipa_replica import ( paths, sysrestore, ansible_module_get_parsed_ip_addresses, service, redirect_stdout, create_ipa_conf, ipautil, x509, validate_domain_name, common_check, - IPA_PYTHON_VERSION, getargspec, adtrustinstance + IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert ) @@ -542,7 +542,8 @@ def main(): # additional client_enrolled=client_enrolled, change_master_for_certmonger=change_master_for_certmonger, - sid_generation_always=sid_generation_always + sid_generation_always=sid_generation_always, + install_ca_certs=install_ca_cert is not None ) diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py index f798833a..c244e288 100644 --- a/roles/ipareplica/module_utils/ansible_ipa_replica.py +++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py @@ -144,7 +144,7 @@ try: from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) from ipaserver.install.server.replicainstall import ( - make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert, + make_pkcs12_info, install_replica_ds, install_krb, install_http, install_dns_records, create_ipa_conf, check_dirsrv, check_dns_resolution, configure_certmonger, remove_replica_info_dir, @@ -157,6 +157,11 @@ try: # ensure_enrolled, promotion_check_ipa_domain ) + try: + from ipaserver.install.server.replicainstall import \ + install_ca_cert + except ImportError: + install_ca_cert = None import SSSDConfig from subprocess import CalledProcessError diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index fe63879c..076842a3 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -209,6 +209,7 @@ server: "{{ result_ipareplica_test.server }}" skip_conncheck: "{{ ipareplica_skip_conncheck }}" sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}" + ipa_client_installed: "{{ result_ipareplica_test.client_enrolled }}" register: result_ipareplica_prepare - name: Install - Add to ipaservers @@ -276,6 +277,7 @@ config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}" config_ips: "{{ result_ipareplica_prepare.config_ips }}" register: result_ipareplica_install_ca_certs + when: result_ipareplica_test.install_ca_certs - name: Install - Setup DS ipareplica_setup_ds: From 5ac7143f42b325da04f04dade13b810c72ec08b6 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Thu, 20 Jun 2024 15:14:47 +0200 Subject: [PATCH 4/4] ipareplica: After an HSM replica install ensure all certs are visible FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d After an HSM replica install ensure all certs are visible If a certificate on a token does not have NSS trust set then it won't be visible in the softoken. This can be disconcerting for those used to seeing all the certificates. Loop through the possibilities and set no trust (or Peer) for all the certificates on the token. Also ensure that the CA certificate has the correct nickname. Related: https://pagure.io/freeipa/issue/9273 --- roles/ipareplica/library/ipareplica_enable_ipa.py | 5 ++++- roles/ipareplica/module_utils/ansible_ipa_replica.py | 7 ++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/ipareplica/library/ipareplica_enable_ipa.py b/roles/ipareplica/library/ipareplica_enable_ipa.py index a974165e..87582b81 100644 --- a/roles/ipareplica/library/ipareplica_enable_ipa.py +++ b/roles/ipareplica/library/ipareplica_enable_ipa.py @@ -90,7 +90,7 @@ from ansible.module_utils.ansible_ipa_replica import ( check_imports, AnsibleModuleLog, setup_logging, installer, DN, paths, gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize, gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, service, - find_providing_servers, services + find_providing_servers, services, clean_up_hsm_nicknames ) @@ -168,6 +168,9 @@ def main(): # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() + if options.setup_ca and clean_up_hsm_nicknames is not None: + clean_up_hsm_nicknames(api) + # Print a warning if CA role is only installed on one server if len(ca_servers) == 1: msg = u''' diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py index c244e288..c5efa8da 100644 --- a/roles/ipareplica/module_utils/ansible_ipa_replica.py +++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py @@ -49,7 +49,7 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename", "dnsname", "kernel_keyring", "krbinstance", "getargspec", "adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env", "ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION", - "ReplicaConfig", "create_api"] + "ReplicaConfig", "create_api", "clean_up_hsm_nicknames"] import sys import logging @@ -162,6 +162,11 @@ try: install_ca_cert except ImportError: install_ca_cert = None + try: + from ipaserver.install.server.replicainstall import \ + clean_up_hsm_nicknames + except ImportError: + clean_up_hsm_nicknames = None import SSSDConfig from subprocess import CalledProcessError