server upgrade: do not enable PKINIT by default

Enabling PKINIT often fails during server upgrade when requesting the KDC certificate. Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid the upgrade failure by not enabling PKINIT by default. https://pagure.io/freeipa/issue/7000 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-06-05 12:42:52 +00:00 · 2017-06-05 12:42:52 +00:00 · 0772ef20b3
commit 0772ef20b3
parent 92276c1e88
1 changed files with 2 additions and 8 deletions
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -1523,14 +1523,8 @@ def add_default_caacl(ca):
 def setup_pkinit(krb):
    root_logger.info("[Setup PKINIT]")

-    pkinit_is_enabled = krbinstance.is_pkinit_enabled()
-    ca_is_enabled = api.Command.ca_is_enabled()['result']
-
-    if not pkinit_is_enabled:
-        if ca_is_enabled:
-            krb.issue_ipa_ca_signed_pkinit_certs()
-        else:
-            krb.issue_selfsigned_pkinit_certs()
+    if not krbinstance.is_pkinit_enabled():
+        krb.issue_selfsigned_pkinit_certs()

    aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD,
                 loadpath=paths.USR_SHARE_IPA_DIR)