Install RA cert during replica promotion

This cert is needed with KRA to be able store and retrieve secrets. https://fedorahosted.org/freeipa/ticket/5512 Reviewed-By: David Kupka <dkupka@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-12-10 13:46:07 +01:00
parent 099cf98307
commit bf9a34f4cf
2 changed files with 8 additions and 4 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1344,12 +1344,8 @@ class CAInstance(DogtagInstance):
        self.step("setting audit signing renewal to 2 years",
                  self.set_audit_renewal)

-        self.step("configure certmonger for renewals",
-                  self.configure_certmonger_renewal)
        self.step("configure certificate renewals",
                  self.configure_renewal)
-        self.step("configure RA certificate renewal",
-                  self.configure_agent_renewal)
        self.step("configure Server-Cert certificate renewal",
                  self.track_servercert)
        self.step("Configure HTTP to proxy connections",
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1316,6 +1316,14 @@ def promote(installer):
                                                 installer._ca_enabled)
    custodia.create_replica(config.master_host_name)

+    if installer._ca_enabled:
+        CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
+
+        CA.configure_certmonger_renewal()
+        CA.configure_agent_renewal()
+        cainstance.export_kra_agent_pem()
+        CA.fix_ra_perms()
+
    krb = install_krb(config,
                      setup_pkinit=not options.no_pkinit,
                      promote=True)