#9593 ipa-kra-install tries to validate the HSM config even when no HSM is set up
Closed: fixed 8 months ago by rcritten. Opened 8 months ago by frenaud.

Issue

The nightly test test_installation_TestInstallWithCA1 is failing on fedora 38.
See PR #3673 with the following logs and report:

RUN ['ipa-kra-install', '-U', '-p', 'Secret.123']
Lookup failed: Preferred host replica1.ipa.test does not provide KRA.
Custodia uses 'replica0.ipa.test' as master peer.
HSM is not supported in PKI version 11.3.1
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
Exit code: 1

Steps to Reproduce

  1. Install a server with CA KRA: ipa-server-install --domain ipa.test --realm IPA.TEST --setup-kra --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
  2. Install a replica with ca: ipa-replica-install --domain ipa.test --realm IPA.TEST --principal admin --password Secret123 --setup-ca -U
  3. install the KRA on the replica: ipa-kra-install

The KRA installation fails even though there is no HSM setup.

While I agree that f38 is already EOL, the code is making unnecessary checks when there is no HSM.

The file ipaserver/install/kra.py contains the following code in install_check:

    if replica_config is not None:
        (token_name, token_library) = ca.lookup_hsm_configuration(api)
        ca.hsm_validator(token_name, token_library, options.token_password)

which calls hsm_validator even when no HSM is setup. The fix can either call ca.hsm_validator only when token_name, token_library are not None or modify hsm_validator to return early if HSM is not setup.


Metadata Update from @rcritten:
- Issue assigned to rcritten

8 months ago

master:

  • f225b3d Don't try to validate the HSM arguments on a non-HSM installation

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Log in to comment on this ticket.

Metadata