ipa-server-install: token_password_file read in kra.install_check after calling hsm_validator in ca.install_check
https://github.com/freeipa/freeipa/blob/master/ipaserver/install/ca.py#L366
hsm_validator( options.token_name, options.token_library_path, options.token_password)
https://github.com/freeipa/freeipa/blob/master/ipaserver/install/ca.py#L416 (only if replica_config is not None)
if options.token_password_file: with open(options.token_password_file, "r") as fd: options.token_password = fd.readline().strip()
https://github.com/freeipa/freeipa/blob/master/ipaserver/install/kra.py#L61
https:/https://github.com/freeipa/freeipa/blob/master/ipaserver/install/server/install.py#L733
if setup_ca: ca.install_check(False, None, options) if options.setup_kra: kra.install_check(api, None, options)
Should be possible to set token_password_file and token_password at the same time?
It should not be possible to provide both. It should error out if both are set. password in a file was added well before the hsm_validator function was added and apparently never tested afterwards. That is the source of this issue.
Metadata Update from @rcritten: - Issue assigned to rcritten
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-40890 https://issues.redhat.com/browse/RHEL-40892 - Issue priority set to: normal
token_password_file and token_password should be mutually exclusive.
master:
Possibly related issue in test_integration/test_hsm.py::TestHSMcertRenewal::test_certs_renewal manifesting in testing_master_latest] Nightly PR #3828 - report
test_integration/test_hsm.py::TestHSMcertRenewal::test_certs_renewal
testing_master_latest] Nightly PR #3828
INFO ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:436 GET /usr/share/pki/VERSION DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd65:transport.py:513 RUN ['cat', '/usr/share/pki/VERSION'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd65:transport.py:217 Exit code: 0 INFO ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:427 PUT /tmp/token_password DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd66:transport.py:513 RUN ['tee', '/tmp/token_password'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd66:transport.py:217 Exit code: 0 INFO ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:391 RUN ['/usr/bin/certutil', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/tmp/token_passwd', '-L', '-a', '-n', 'wgzLLMJjPU:ocspSigningCert cert-pki-ca', '-h', 'wgzLLMJjPU'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd67:transport.py:513 RUN ['/usr/bin/certutil', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/tmp/token_passwd', '-L', '-a', '-n', 'wgzLLMJjPU:ocspSigningCert cert-pki-ca', '-h', 'wgzLLMJjPU'] DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd67:transport.py:557 No password file "/tmp/token_passwd" exists. DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd67:transport.py:557 certutil: could not authenticate to token wgzLLMJjPU.: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd67:transport.py:217 Exit code: 255 ERROR ipatests.pytest_ipa.integration.host.Host.master.cmd67:host.py:201 stderr: No password file "/tmp/token_passwd" exists. certutil: could not authenticate to token wgzLLMJjPU.: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
ipa-4-12:
Metadata Update from @frenaud: - Issue tagged with: test-failure
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.