From 718099af5bf702683b0195d1cea4a674bb47207f Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 5 Mar 2021 13:48:50 +0100
Subject: [PATCH] ipa-kra-install: exit if ca_host is overriden
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ipa-kra-install should exit if ca_host line is present
in /etc/ipa/default.conf, as it may lead to a misconfigured
setup.

Fixes: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/kra.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index ffed5df14..857c5165b 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -53,6 +53,11 @@ def install_check(api, replica_config, options):
                 "KRA is not installed on the master system. Please use "
                 "'ipa-kra-install' command to install the first instance.")
 
+    if api.env.ca_host is not None and api.env.ca_host != api.env.host:
+        raise RuntimeError(
+            "KRA can not be installed when 'ca_host' is overriden in "
+            "IPA configuration file.")
+
 
 def install(api, replica_config, options, custodia):
     if replica_config is None: