pkinit setup: fix regression on master install

The commit 7785210 intended to fix ipa-pkinit-manage enable on a replica without any CA but introduced a regression: ipa-server-install fails to configure pkinit with the fix. This commit provides a proper fix without the regression: pkinit needs to contact Dogtag directly only in case there is no CA instance yet (for ex. because we are installing the first master). Fixes: https://pagure.io/freeipa/issue/7795 Reviewed-By: François Cami <fcami@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-02-19 09:25:24 +01:00 · 2019-02-19 09:25:24 +01:00 · 658983794c
commit 658983794c
parent d1f5ed64e1
1 changed files with 3 additions and 2 deletions
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -429,13 +429,14 @@ class KrbInstance(service.Service):
            prev_helper = None
            # on the first CA-ful master without '--no-pkinit', we issue the
            # certificate by contacting Dogtag directly
-            localhost_has_ca = self.fqdn in find_providing_servers(
+            ca_instances = find_providing_servers(
                'CA', conn=self.api.Backend.ldap2, api=self.api)
+
            use_dogtag_submit = all(
                [self.master_fqdn is None,
                 self.pkcs12_info is None,
                 self.config_pkinit,
-                 localhost_has_ca])
+                 len(ca_instances) == 0])

            if use_dogtag_submit:
                ca_args = [