Do not set ca_host when --setup-ca is used

Setting ca_host caused replication failures on DL0 because it was trying to connect to wrong CA host. Trying to avoid corner-case in ipaserver/plugins/dogtag.py when api.env.host nor api.env.ca_host had not CA configured and there was ca_host set to api.env.ca_host variable. See: https://pagure.io/freeipa/issue/7566 Resolves: https://pagure.io/freeipa/issue/7629 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-07-26 11:46:55 +02:00 · 2018-07-26 11:46:55 +02:00 · 6175672e8e
commit 6175672e8e
parent f0c3a35928
2 changed files with 29 additions and 2 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -461,6 +461,11 @@ class CAInstance(DogtagInstance):
                self.step("updating IPA configuration", update_ipa_conf)
                self.step("enabling CA instance", self.__enable_instance)
                if not promote:
+                    if self.clone:
+                        # DL0 workaround; see docstring of __expose_ca_in_ldap
+                        self.step("exposing CA instance on LDAP",
+                                  self.__expose_ca_in_ldap)
+
                    self.step("migrating certificate profiles to LDAP",
                              migrate_profiles_to_ldap)
                    self.step("importing IPA certificate profiles",
@ -1277,6 +1282,25 @@ class CAInstance(DogtagInstance):
            config = []
        self.ldap_configure('CA', self.fqdn, None, basedn, config)

+    def __expose_ca_in_ldap(self):
+        """
+        In a case when replica is created on DL0 we need to make
+        sure that query for CA service record of this replica in
+        ldap will succeed in time of installation.
+        This method is needed for sucessfull replica installation
+        on DL0 and should be removed alongside with code for DL0.
+
+        To suppress deprecation warning message this method is
+        not invoking ldap_enable() but _ldap_enable() method.
+        """
+
+        basedn = ipautil.realm_to_suffix(self.realm)
+        if not self.clone:
+            config = ['caRenewalMaster']
+        else:
+            config = []
+        self._ldap_enable(u'enabledService', "CA", self.fqdn, basedn, config)
+
    def setup_lightweight_ca_key_retrieval(self):
        if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'):
            return
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -241,9 +241,12 @@ def create_ipa_conf(fstore, config, ca_enabled, master=None):
        gopts.extend([
            ipaconf.setOption('enable_ra', 'True'),
            ipaconf.setOption('ra_plugin', 'dogtag'),
-            ipaconf.setOption('dogtag_version', '10'),
-            ipaconf.setOption('ca_host', config.ca_host_name)
+            ipaconf.setOption('dogtag_version', '10')
        ])
+
+        if not config.setup_ca:
+            gopts.append(ipaconf.setOption('ca_host', config.ca_host_name))
+
    else:
        gopts.extend([
            ipaconf.setOption('enable_ra', 'False'),