mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
530da69ead
ipa-replica-install --kra-install can fail when the topology already has a KRA, but replica is installed from a master with just CA. In that case, Custodia may pick a machine that doesn't have the KRA auditing and signing certs in its NSSDB. Example: * master with CA * replica1 with CA and KRA * new replica gets installed from master The replica installer now always picks a KRA peer. The change fixes test scenario TestInstallWithCA1::()::test_replica2_ipa_dns_install Fixes: https://pagure.io/freeipa/issue/7518 See: https://pagure.io/freeipa/issue/7008 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>