ipa-replica-install: --setup-ca and *-cert-file are mutually exclusive

ipa-replica-install currently accepts both --setup-ca and *-cert-file even though the options should be mutually exclusive (either install CA-less with *-cert-file options or with a CA). Add a check enforcing the options are mutually exclusive. Fixes: https://pagure.io/freeipa/issue/8366 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-06-10 13:49:23 +02:00 · 2020-06-10 13:49:23 +02:00 · 51cb631db3
commit 51cb631db3
parent a18d406b56
1 changed files with 6 additions and 0 deletions
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -776,6 +776,12 @@ def promote_check(installer):
    # check selinux status, http and DS ports, NTP conflicting services
    common_check(options.no_ntp)

+    if options.setup_ca and any([options.dirsrv_cert_files,
+                                 options.http_cert_files,
+                                 options.pkinit_cert_files]):
+        raise ScriptError("--setup-ca and --*-cert-file options are "
+                          "mutually exclusive")
+
    client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
    if not client_fstore.has_files():
        # One-step replica installation