pkinit enable: use local dogtag only if host has CA

ipa-pkinit-manage enable is failing if called on a master that does not have a CA instance, because it is trying to contact dogtag on the localhost. The command should rather use certmonger in this case, and let certmonger contact the right master to request the KDC certificate. Fixes: https://pagure.io/freeipa/issue/7795 Reviewed-By: Francois Cami <fcami@redhat.com>
2025-01-27 00:26:33 -06:00 · 2018-12-20 08:56:56 +01:00 · 2018-12-20 08:56:56 +01:00 · 7785210533
commit 7785210533
parent e5be409245
1 changed files with 5 additions and 1 deletions
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -45,6 +45,7 @@ from ipaserver.install import replication
 from ipaserver.install import ldapupdate

 from ipaserver.install import certs
+from ipaserver.masters import find_providing_servers
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
@ -428,10 +429,13 @@ class KrbInstance(service.Service):
            prev_helper = None
            # on the first CA-ful master without '--no-pkinit', we issue the
            # certificate by contacting Dogtag directly
+            localhost_has_ca = self.fqdn in find_providing_servers(
+                'CA', conn=self.api.Backend.ldap2, api=self.api)
            use_dogtag_submit = all(
                [self.master_fqdn is None,
                 self.pkcs12_info is None,
-                 self.config_pkinit])
+                 self.config_pkinit,
+                 localhost_has_ca])

            if use_dogtag_submit:
                ca_args = [