ipa-ca-install: run certupdate as initial step

When installing a CA replica, perform a certupdate to ensure that the relevant CA cert is present. This is necessary if the admin has just promoted the topology from CA-less to CA-ful but didn't manually run ipa-certupdate afterwards. Fixes: https://pagure.io/freeipa/issue/6577 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-10-30 18:05:56 +11:00 · 2017-10-30 18:05:56 +11:00 · 8960141adb
commit 8960141adb
parent 93d53e5cd0
1 changed files with 11 additions and 0 deletions
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@ -27,6 +27,7 @@ import tempfile
 from ipalib.install.kinit import kinit_keytab
 from ipapython import ipautil

+from ipaclient.install.ipa_certupdate import CertUpdate
 from ipaserver.install import installutils
 from ipaserver.install.installutils import create_replica_config
 from ipaserver.install.installutils import check_creds, ReplicaConfig
@ -174,6 +175,16 @@ def install_replica(safe_options, options, filename):
            not options.skip_conncheck and options.unattended):
        sys.exit('admin password required')

+    # Run ipa-certupdate to ensure we have the CA cert.  This is
+    # necessary if the admin has just promoted the topology from
+    # CA-less to CA-ful, and ipa-certupdate has not been run yet.
+    CertUpdate.run_with_args(api)
+
+    # CertUpdate restarts DS causing broken pipe on the original
+    # connection, so reconnect the backend.
+    api.Backend.ldap2.disconnect()
+    api.Backend.ldap2.connect()
+
    if options.promote:
        config = ReplicaConfig()
        config.ca_host_name = None