Make sure the CA cert is copied to the replica, fail if no ca.crt is available. Cope with some versions of ipa that forgot to copy the ca.crt cert in the right place.

ipa-server/ipa-install/ipa-replica-prepare

@@ -155,10 +155,10 @@ def copy_files(realm_name, dir):
     try:
         shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") 
         shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab") 
+        shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
         if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
             shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
             shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
-            shutil.copy(config_dir + "/cacert.asc", dir + "/ca.crt")
     except Exception, e:
         print "error copying files: " + str(e)
         sys.exit(1)

ipa-server/ipa-upgradeconfig

@@ -84,6 +84,16 @@ def upgrade(sub_dict, filename, template):
         update_conf(sub_dict, filename, template)
         print "Upgraded %s to version %d" % (filename, new)
 
+def check_certs(realm_name):
+    """Check ca.crt is in the right place, and try to fix if not"""
+    if not os.path.exists("/usr/share/ipa/html/ca.crt"):
+        ca_file = "/etc/dirsrv/slapd-" + ("-".join(realm_name.split("."))) + "/cacert.asc"
+        if os.path.exists(ca_file):
+            shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt")
+        else:
+            print "Missing Certification Authority file."
+            print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"
+
 def main():
     try:
         krbctx = krbV.default_context()
@@ -91,6 +101,11 @@ def main():
         print "Unable to get default kerberos realm: %s" % e[1]
         sys.exit(1)
 
+    try:
+        check_certs(krbctx.default_realm)
+    except Error, e:
+        print "Failed to check CA certificate: %s" % e
+
     try:
         fqdn = find_hostname()
     except IOError: