Check LDAP instead of local configuration to see if IPA CA is enabled

The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>

install/tools/ipa-ca-install

@@ -234,9 +234,6 @@ def install_master(safe_options, options):
     api.bootstrap(in_server=True)
     api.finalize()
 
-    if api.env.enable_ra:
-        sys.exit("CA is already installed.\n")
-
     dm_password = options.password
     if not dm_password:
         if options.unattended:
@@ -251,6 +248,9 @@ def install_master(safe_options, options):
     api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
                               bind_pw=dm_password)
 
+    if api.Command.ca_is_enabled()['result']:
+        sys.exit("CA is already installed.\n")
+
     config = api.Command['config_show']()['result']
     subject_base = config['ipacertificatesubjectbase'][0]
 

install/tools/ipa-replica-install

@@ -238,7 +238,8 @@ def install_http(config, auto_redirect):
     http.create_instance(
         config.realm_name, config.host_name, config.domain_name,
         config.dirman_password, False, pkcs12_info,
-        auto_redirect=auto_redirect, ca_file = config.dir + "/ca.crt")
+        auto_redirect=auto_redirect, ca_file = config.dir + "/ca.crt",
+        ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"))
 
     # Now copy the autoconfiguration files
     try:

install/tools/ipa-server-install

@@ -1231,11 +1231,13 @@ def main():
         http.create_instance(
             realm_name, host_name, domain_name, dm_password,
             pkcs12_info=http_pkcs12_info, subject_base=options.subject,
-            auto_redirect=options.ui_redirect)
+            auto_redirect=options.ui_redirect,
+            ca_is_configured=setup_ca)
     else:
         http.create_instance(
             realm_name, host_name, domain_name, dm_password,
-            subject_base=options.subject, auto_redirect=options.ui_redirect)
+            subject_base=options.subject, auto_redirect=options.ui_redirect,
+            ca_is_configured=setup_ca)
     tasks.restore_context(paths.CACHE_IPA_SESSIONS)
 
     # Export full CA chain

install/tools/ipa-upgradeconfig

@@ -980,11 +980,13 @@ def add_ca_dns_records():
         root_logger.info('IPA CA DNS records already processed')
         return
 
-    try:
-        api.Backend.ldap2.connect(autobind=True)
-    except ipalib.errors.PublicError, e:
-        root_logger.error("Cannot connect to LDAP to add DNS records: %s", e)
-        return
+    if not api.Backend.ldap2.isconnected():
+        try:
+            api.Backend.ldap2.connect(autobind=True)
+        except ipalib.errors.PublicError, e:
+            root_logger.error(
+                "Cannot connect to LDAP to add DNS records: %s", e)
+            return
 
     ret = api.Command['dns_is_enabled']()
     if not ret['result']:
@@ -1131,12 +1133,19 @@ def remove_ds_ra_cert(subject_base):
 def fix_trust_flags():
     root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR)
 
-    if not api.env.enable_ra:
-        root_logger.info("CA is not enabled")
+    if sysupgrade.get_upgrade_state('http', 'fix_trust_flags'):
+        root_logger.info("Trust flags already processed")
         return
 
-    if sysupgrade.get_upgrade_state(service, 'fix_trust_flags'):
-        root_logger.info("Trust flags already fixed")
+    if not api.Backend.ldap2.isconnected():
+        try:
+            api.Backend.ldap2.connect(autobind=True)
+        except ipalib.errors.PublicError, e:
+            root_logger.error("Cannot connect to LDAP: %s", e)
+            return
+
+    if not api.Command.ca_is_enabled()['result']:
+        root_logger.info("CA is not enabled")
         return
 
     db = certs.CertDB(api.env.realm)