ipareplica: After an HSM replica install ensure all certs are visible

FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d After an HSM replica install ensure all certs are visible If a certificate on a token does not have NSS trust set then it won't be visible in the softoken. This can be disconcerting for those used to seeing all the certificates. Loop through the possibilities and set no trust (or Peer) for all the certificates on the token. Also ensure that the CA certificate has the correct nickname. Related: https://pagure.io/freeipa/issue/9273
2026-03-26 21:33:05 +00:00 · 2024-06-20 15:14:47 +02:00
parent 07d91e02d1
commit 5ac7143f42
2 changed files with 10 additions and 2 deletions
--- a/roles/ipareplica/library/ipareplica_enable_ipa.py
+++ b/roles/ipareplica/library/ipareplica_enable_ipa.py
@@ -90,7 +90,7 @@ from ansible.module_utils.ansible_ipa_replica import (
    check_imports, AnsibleModuleLog, setup_logging, installer, DN, paths,
    gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
    gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, service,
-    find_providing_servers, services
+    find_providing_servers, services, clean_up_hsm_nicknames
 )


@@ -168,6 +168,9 @@ def main():
        # Everything installed properly, activate ipa service.
        services.knownservices.ipa.enable()

+        if options.setup_ca and clean_up_hsm_nicknames is not None:
+            clean_up_hsm_nicknames(api)
+
        # Print a warning if CA role is only installed on one server
        if len(ca_servers) == 1:
            msg = u'''
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -49,7 +49,7 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
           "dnsname", "kernel_keyring", "krbinstance", "getargspec",
           "adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env",
           "ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION",
-           "ReplicaConfig", "create_api"]
+           "ReplicaConfig", "create_api", "clean_up_hsm_nicknames"]

 import sys
 import logging
@@ -162,6 +162,11 @@ try:
                install_ca_cert
        except ImportError:
            install_ca_cert = None
+        try:
+            from ipaserver.install.server.replicainstall import \
+                clean_up_hsm_nicknames
+        except ImportError:
+            clean_up_hsm_nicknames = None
        import SSSDConfig
        from subprocess import CalledProcessError