On 02/12/15 07:58, Jan Cholasta wrote:
On 1.12.2015 14:27, David Kupka wrote:
On 30/11/15 17:24, Jan Cholasta wrote:
Hi,

On 27.11.2015 07:57, David Kupka wrote:
On 26/11/15 15:22, David Kupka wrote:
On 26/11/15 15:13, David Kupka wrote:
On 26/11/15 15:01, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5441


Replaced accidentally inserted tabs.



Fixed indentation I screwed up when replacing tabs :-/

1) The deprecated --*_pkcs12 and --*_pin aliases should not be supported
in ipa-replica-install.

In ServerCA, inherit the knobs from BaseServerCA rather than
BaseServer.ca. The "#pylint: disable=no-member" will no longer be
necessary.

In ipa-server-install help, there are 2 "certificate system" option
groups. This is a shortcoming in the installer framework, which will be
addressed in the future. For now, please inherit *all* knobs of
BaseServerCA in ServerCA as a workaround.



2) This check from ipa-replica-prepare should be added to
Replica.__init__() as well:

         # If any of the PKCS#12 options are selected, all are required.
         cert_file_req = (options.dirsrv_cert_files,
options.http_cert_files)
         cert_file_opt = (options.pkinit_cert_files,)
         if any(cert_file_req + cert_file_opt) and not
all(cert_file_req):
             self.option_parser.error(
                 "--dirsrv-cert-file and --http-cert-file are required
if any "
                 "PKCS#12 options are used.")

The check is done when replica file is specified in the patch, but it
should be done only when replica file is *not* specified.

6) Please make the ca_is_enabled argument of install_replica_ds() and
install_http() mandatory and fill as appropriate when called, it will
make the code more readable.

This bit in install_http() is redundant now:

+    if ca_is_configured is None:
+        ca_is_configured = ipautil.file_exists(config.dir + "/cacert.p12")



7)

$ git diff -U0 | pep8 --diff
./ipaserver/install/server/replicainstall.py:99:80: E501 line too long
(82 > 79 characters)
./ipaserver/install/server/replicainstall.py:161:80: E501 line too long
(82 > 79 characters)
./ipaserver/install/server/replicainstall.py:1289:13: E265 block comment
should start with '# '
./ipaserver/install/server/replicainstall.py:1291:17: E125 continuation
line with same indent as next logical line
./ipaserver/install/server/replicainstall.py:1291:17: E128 continuation
line under-indented for visual indent

$ git diff -U0 | pep8 --diff
./ipaserver/install/server/install.py:1142:1: E302 expected 2 blank
lines, found 1
./ipaserver/install/server/install.py:1143:5: E265 block comment should
start with '# '
./ipaserver/install/server/install.py:1160:17: E222 multiple spaces
after operator
./ipaserver/install/server/install.py:1288:9: E265 block comment should
start with '# '
./ipaserver/install/server/replicainstall.py:100:80: E501 line too long
(82 > 79 characters)
./ipaserver/install/server/replicainstall.py:162:80: E501 line too long
(82 > 79 characters)
./ipaserver/install/server/replicainstall.py:697:41: E251 unexpected
spaces around keyword / parameter equals
./ipaserver/install/server/replicainstall.py:697:43: E251 unexpected
spaces around keyword / parameter equals
./ipaserver/install/server/replicainstall.py:922:9: E129 visually
indented line with same indent as next logical line
./ipaserver/install/server/replicainstall.py:925:14: E131 continuation
line unaligned for hanging indent
./ipaserver/install/server/replicainstall.py:1345:9: E265 block comment
should start with '# '
./ipaserver/install/server/replicainstall.py:1389:21: E128 continuation
line under-indented for visual indent


Thanks, updated patch attached.

--
David Kupka
From c1e2259bb352e160e41deb8853bd615f1c9f3db1 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Thu, 26 Nov 2015 09:01:27 +0100
Subject: [PATCH] ipa-replica-install support caless install with promotion.

https://fedorahosted.org/freeipa/ticket/5441
---
 ipaserver/install/custodiainstance.py      |   6 +-
 ipaserver/install/dsinstance.py            |   3 +-
 ipaserver/install/server/common.py         |   6 --
 ipaserver/install/server/install.py        |  58 +++++++++-
 ipaserver/install/server/replicainstall.py | 168 ++++++++++++++++++++++++-----
 5 files changed, 199 insertions(+), 42 deletions(-)

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index df99962a7e6e8ecac044ff4e8341a4a9913e4d4d..dbe36af6d7af23fa859dcb78f3dc24224fd8fd07 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -17,7 +17,7 @@ import tempfile
 
 
 class CustodiaInstance(SimpleServiceInstance):
-    def __init__(self, host_name=None, realm=None):
+    def __init__(self, host_name=None, realm=None, ca_is_configured=True):
         super(CustodiaInstance, self).__init__("ipa-custodia")
         self.config_file = paths.IPA_CUSTODIA_CONF
         self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR,
@@ -25,6 +25,7 @@ class CustodiaInstance(SimpleServiceInstance):
         self.ldap_uri = None
         self.fqdn = host_name
         self.realm = realm
+        self.ca_is_configured = ca_is_configured
 
     def __config_file(self):
         template_file = os.path.basename(self.config_file) + '.template'
@@ -68,7 +69,8 @@ class CustodiaInstance(SimpleServiceInstance):
 
         self.step("Generating ipa-custodia config file", self.__config_file)
         self.step("Generating ipa-custodia keys", self.__gen_keys)
-        self.step("Importing RA Key", self.__import_ra_key)
+        if self.ca_is_configured:
+            self.step("Importing RA Key", self.__import_ra_key)
         super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
                                                       fqdn=self.fqdn,
                                                       ldap_suffix=suffix,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index e47e85ca6f25c33e4327fc5ee1cd2e90e6c2ca4a..a58b0f7c2f1a6baae09e38695b8e569d7495d524 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -381,7 +381,8 @@ class DsInstance(service.Service):
 
         if self.promote:
             self.step("creating DS keytab", self.__get_ds_keytab)
-            self.step("retrieving DS Certificate", self.__get_ds_cert)
+            if self.ca_is_configured:
+                self.step("retrieving DS Certificate", self.__get_ds_cert)
             self.step("restarting directory server", self.__restart_instance)
 
         self.step("setting up initial replication", self.__setup_replica)
diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
index 82c2c9eac253f82baeffbebfa388718dcc30d14a..6464d89aa3784a6e6f2d7a60a3bbc2e0dd5ed6c1 100644
--- a/ipaserver/install/server/common.py
+++ b/ipaserver/install/server/common.py
@@ -53,7 +53,6 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         description=("File containing the Directory Server SSL certificate "
                      "and private key"),
         cli_name='dirsrv-cert-file',
-        cli_aliases=['dirsrv_pkcs12'],
         cli_metavar='FILE',
     )
 
@@ -62,7 +61,6 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         description=("File containing the Apache Server SSL certificate and "
                      "private key"),
         cli_name='http-cert-file',
-        cli_aliases=['http_pkcs12'],
         cli_metavar='FILE',
     )
 
@@ -71,7 +69,6 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         description=("File containing the Kerberos KDC SSL certificate and "
                      "private key"),
         cli_name='pkinit-cert-file',
-        cli_aliases=['pkinit_pkcs12'],
         cli_metavar='FILE',
     )
 
@@ -79,7 +76,6 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         str, None,
         sensitive=True,
         description="The password to unlock the Directory Server private key",
-        cli_aliases=['dirsrv_pin'],
         cli_metavar='PIN',
     )
 
@@ -87,7 +83,6 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         str, None,
         sensitive=True,
         description="The password to unlock the Apache Server private key",
-        cli_aliases=['http_pin'],
         cli_metavar='PIN',
     )
 
@@ -95,7 +90,6 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         str, None,
         sensitive=True,
         description="The password to unlock the Kerberos KDC private key",
-        cli_aliases=['pkinit_pin'],
         cli_metavar='PIN',
     )
 
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 3c9a527d6d11db345cfed835a89e885860b5608a..5f87ad0664e205e337da772566d2b476794445bd 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -49,7 +49,7 @@ try:
 except ImportError:
     _server_trust_ad_installed = False
 
-from .common import BaseServer
+from .common import BaseServer, BaseServerCA
 
 SYSRESTORE_DIR_PATH = paths.SYSRESTORE
 
@@ -1140,6 +1140,54 @@ def uninstall(installer):
     sys.exit(rv)
 
 
+class ServerCA(BaseServerCA):
+
+    # FIXME: Following Knobs are inherited because framework is not able to
+    # help groups correctly.
+
+    external_ca = Knob(BaseServerCA.external_ca)
+    external_ca_type = Knob(BaseServerCA.external_ca_type)
+    external_cert_files = Knob(BaseServerCA.external_cert_files)
+
+    dirsrv_cert_files = Knob(
+        BaseServerCA.dirsrv_cert_files,
+        cli_aliases=['dirsrv_pkcs12'],
+    )
+
+    http_cert_files = Knob(
+        BaseServerCA.http_cert_files,
+        cli_aliases=['http_pkcs12'],
+    )
+
+    pkinit_cert_files = Knob(
+        BaseServerCA.pkinit_cert_files,
+        cli_aliases=['pkinit_pkcs12'],
+    )
+
+    dirsrv_pin = Knob(
+        BaseServerCA.dirsrv_pin,
+        cli_aliases=['dirsrv_pin'],
+    )
+
+    http_pin = Knob(
+        BaseServerCA.http_pin,
+        cli_aliases=['http_pin'],
+    )
+
+    pkinit_pin = Knob(
+        BaseServerCA.pkinit_pin,
+        cli_aliases=['pkinit_pin'],
+    )
+
+    dirsrv_cert_name = Knob(BaseServerCA.dirsrv_cert_name)
+    http_cert_name = Knob(BaseServerCA.http_cert_name)
+    pkinit_cert_name = Knob(BaseServerCA.pkinit_cert_name)
+    ca_cert_files = Knob(BaseServerCA.ca_cert_files)
+    subject = Knob(BaseServerCA.subject)
+    ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm)
+    skip_schema_check = None
+
+
 class Server(BaseServer):
     realm_name = Knob(BaseServer.realm_name)
     domain_name = Knob(BaseServer.domain_name)
@@ -1227,9 +1275,6 @@ class Server(BaseServer):
         cli_name='no_hbac_allow',
     )
 
-    # ca
-    skip_schema_check = None
-
     # dns
     dnssec_master = None
     disable_dnssec_master = None
@@ -1253,6 +1298,8 @@ class Server(BaseServer):
         self._ca_cert = None
         self._update_hosts_file = False
 
+        # pylint: disable=no-member
+
         if self.uninstalling:
             if (self.realm_name or self.admin_password or
                     self.master_password):
@@ -1265,7 +1312,6 @@ class Server(BaseServer):
                     "In unattended mode you need to provide at least -r, -p "
                     "and -a options")
             if self.setup_dns:
-                #pylint: disable=no-member
                 if (not self.dns.forwarders and not self.dns.no_forwarders
                     and not self.dns.auto_forwarders):
                     raise RuntimeError(
@@ -1277,6 +1323,8 @@ class Server(BaseServer):
                 "idmax (%s) cannot be smaller than idstart (%s)" %
                 (self.idmax, self.idstart))
 
+    ca = core.Component(ServerCA)
+
     @step()
     def main(self):
         install_check(self)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index eac42dab2a3f94c4e9c4f0f2d0d1b84d4a1f0847..f8f7362bd6f65f2c712fdd965d2f953b85236a6f 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -32,6 +32,7 @@ from ipaserver.install import (
     ntpinstance, otpdinstance, custodiainstance, service)
 from ipaserver.install.installutils import create_replica_config
 from ipaserver.install.installutils import ReplicaConfig
+from ipaserver.install.installutils import load_pkcs12
 from ipaserver.install.replication import (
     ReplicationManager, replica_conn_check)
 import SSSDConfig
@@ -87,13 +88,21 @@ def install_http_certs(config, fstore):
     # FIXME: need Signing-Cert too ?
 
 
-def install_replica_ds(config, options, promote=False):
+def install_replica_ds(config, options, ca_is_configured, promote=False,
+                       pkcs12_info=None):
     dsinstance.check_ports()
 
     # if we have a pkcs12 file, create the cert db from
     # that. Otherwise the ds setup will create the CA
     # cert
-    pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt")
+    if pkcs12_info is None:
+        pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12",
+                                       "dirsrv_pin.txt")
+
+    if promote:
+        ca_file = paths.IPA_CA_CRT
+    else:
+        ca_file = os.path.join(config.dir, "ca.crt")
 
     ds = dsinstance.DsInstance(
         config_ldif=options.dirsrv_config_file)
@@ -105,8 +114,8 @@ def install_replica_ds(config, options, promote=False):
         dm_password=config.dirman_password,
         subject_base=config.subject_base,
         pkcs12_info=pkcs12_info,
-        ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"),
-        ca_file=config.dir + "/ca.crt",
+        ca_is_configured=ca_is_configured,
+        ca_file=ca_file,
         promote=promote,
     )
 
@@ -144,11 +153,19 @@ def install_ca_cert(ldap, base_dn, realm, cafile):
         sys.exit(1)
 
 
-def install_http(config, auto_redirect, promote=False):
+def install_http(config, auto_redirect, ca_is_configured, promote=False,
+                 pkcs12_info=None):
     # if we have a pkcs12 file, create the cert db from
     # that. Otherwise the ds setup will create the CA
     # cert
-    pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12", "http_pin.txt")
+    if pkcs12_info is None:
+        pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12",
+                                       "http_pin.txt")
+
+    if promote:
+        ca_file = paths.IPA_CA_CRT
+    else:
+        ca_file = os.path.join(config.dir, "ca.crt")
 
     memcache = memcacheinstance.MemcacheInstance()
     memcache.create_instance('MEMCACHE', config.host_name,
@@ -159,9 +176,8 @@ def install_http(config, auto_redirect, promote=False):
     http.create_instance(
         config.realm_name, config.host_name, config.domain_name,
         config.dirman_password, False, pkcs12_info,
-        auto_redirect=auto_redirect, ca_file=config.dir + "/ca.crt",
-        ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"),
-        promote=promote)
+        auto_redirect=auto_redirect, ca_file=ca_file,
+        ca_is_configured=ca_is_configured, promote=promote)
 
     http.setup_firefox_extension(config.realm_name, config.domain_name)
 
@@ -654,7 +670,7 @@ def install(installer):
             ntp.create_instance()
 
         # Configure dirsrv
-        ds = install_replica_ds(config, options)
+        ds = install_replica_ds(config, options, installer._ca_enabled)
 
         # Always try to install DNS records
         install_dns_records(config, options, remote_api)
@@ -675,7 +691,8 @@ def install(installer):
         ca.install(False, config, options)
 
     krb = install_krb(config, setup_pkinit=not options.no_pkinit)
-    http = install_http(config, auto_redirect=not options.no_ui_redirect)
+    http = install_http(config, auto_redirect=not options.no_ui_redirect,
+                        ca_is_configured=installer._ca_enabled)
 
     otpd = otpdinstance.OtpdInstance()
     otpd.create_instance('OTPD', config.host_name, config.dirman_password,
@@ -799,6 +816,67 @@ def promote_check(installer):
     config.setup_kra = options.setup_kra
     config.dir = installer._top_dir
 
+    http_pkcs12_file = None
+    http_pkcs12_info = None
+    dirsrv_pkcs12_file = None
+    dirsrv_pkcs12_info = None
+    pkinit_pkcs12_file = None
+    pkinit_pkcs12_info = None
+
+    if options.http_cert_files:
+        if options.http_pin is None:
+            options.http_pin = installutils.read_password(
+                "Enter Apache Server private key unlock",
+                confirm=False, validate=False)
+            if options.http_pin is None:
+                sys.exit(
+                    "Apache Server private key unlock password required")
+        http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12(
+            cert_files=options.http_cert_files,
+            key_password=options.http_pin,
+            key_nickname=options.http_cert_name,
+            ca_cert_files=options.ca_cert_files,
+            host_name=config.host_name)
+        http_pkcs12_info = (http_pkcs12_file.name, http_pin)
+
+    if options.dirsrv_cert_files:
+        if options.dirsrv_pin is None:
+            options.dirsrv_pin = installutils.read_password(
+                "Enter Directory Server private key unlock",
+                confirm=False, validate=False)
+            if options.dirsrv_pin is None:
+                sys.exit(
+                    "Directory Server private key unlock password required")
+        dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12(
+            cert_files=options.dirsrv_cert_files,
+            key_password=options.dirsrv_pin,
+            key_nickname=options.dirsrv_cert_name,
+            ca_cert_files=options.ca_cert_files,
+            host_name=config.host_name)
+        dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
+
+    if options.pkinit_cert_files:
+        if options.pkinit_pin is None:
+            options.pkinit_pin = installutils.read_password(
+                "Enter Kerberos KDC private key unlock",
+                confirm=False, validate=False)
+            if options.pkinit_pin is None:
+                sys.exit(
+                    "Kerberos KDC private key unlock password required")
+        pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
+            cert_files=options.pkinit_cert_files,
+            key_password=options.pkinit_pin,
+            key_nickname=options.pkinit_cert_name,
+            ca_cert_files=options.ca_cert_files,
+            host_name=config.host_name)
+        pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin)
+
+    if (options.http_cert_files and options.dirsrv_cert_files and
+            http_ca_cert != dirsrv_ca_cert):
+        raise RuntimeError("Apache Server SSL certificate and Directory "
+                           "Server SSL certificate are not signed by the same"
+                           " CA certificate")
+
     installutils.verify_fqdn(config.host_name, options.no_host_dns)
     installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
     installutils.check_creds(options, config.realm_name)
@@ -907,11 +985,18 @@ def promote_check(installer):
         if ca_host is not None:
             config.ca_host_name = ca_host
             ca_enabled = True
+            if options.dirsrv_cert_files:
+                root_logger.error("Certificates could not be provided when "
+                                  "CA is present on some master.")
+                sys.exit(3)
         else:
-            # FIXME: add way to pass in certificates
-            root_logger.error("The remote master does not have a CA "
-                              "installed, can't proceed without certs")
-            sys.exit(3)
+            ca_enabled = False
+            if not options.dirsrv_cert_files:
+                root_logger.error("Cannot issue certificates: a CA is not "
+                                  "installed. Use the --http-cert-file, "
+                                  "--dirsrv-cert-file options to provide "
+                                  "custom certificates.")
+                sys.exit(3)
 
         config.kra_host_name = service.find_providing_server('KRA', conn,
                                                              api.env.server)
@@ -969,6 +1054,12 @@ def promote_check(installer):
     installer._fstore = fstore
     installer._sstore = sstore
     installer._config = config
+    installer._dirsrv_pkcs12_file = dirsrv_pkcs12_file
+    installer._dirsrv_pkcs12_info = dirsrv_pkcs12_info
+    installer._http_pkcs12_file = http_pkcs12_file
+    installer._http_pkcs12_info = http_pkcs12_info
+    installer._pkinit_pkcs12_file = pkinit_pkcs12_file
+    installer._pkinit_pkcs12_info = pkinit_pkcs12_info
 
 
 @common_cleanup
@@ -977,6 +1068,12 @@ def promote(installer):
     fstore = installer._fstore
     sstore = installer._sstore
     config = installer._config
+    dirsrv_pkcs12_file = installer._dirsrv_pkcs12_file
+    dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info
+    http_pkcs12_file = installer._http_pkcs12_file
+    http_pkcs12_info = installer._http_pkcs12_info
+    pkinit_pkcs12_file = installer._pkinit_pkcs12_file
+    pkinit_pkcs12_info = installer._pkinit_pkcs12_info
 
     # Save client file and merge in server directives
     target_fname = paths.IPA_DEFAULT_CONF
@@ -1003,7 +1100,8 @@ def promote(installer):
 
     try:
         # Configure dirsrv
-        ds = install_replica_ds(config, options, promote=True)
+        ds = install_replica_ds(config, options, installer._ca_enabled,
+                                promote=True, pkcs12_info=dirsrv_pkcs12_info)
 
         # Always try to install DNS records
         install_dns_records(config, options, api)
@@ -1036,7 +1134,8 @@ def promote(installer):
         os.chmod(target_fname, 0o644)   # must be readable for httpd
 
     custodia = custodiainstance.CustodiaInstance(config.host_name,
-                                                 config.realm_name)
+                                                 config.realm_name,
+                                                 installer._ca_enabled)
     custodia.create_replica(config.master_host_name)
 
     krb = install_krb(config,
@@ -1045,7 +1144,8 @@ def promote(installer):
 
     http = install_http(config,
                         auto_redirect=not options.no_ui_redirect,
-                        promote=True)
+                        promote=True, pkcs12_info=http_pkcs12_info,
+                        ca_is_configured=installer._ca_enabled)
 
     # Apply any LDAP updates. Needs to be done after the replica is synced-up
     service.print_msg("Applying LDAP updates")
@@ -1163,15 +1263,6 @@ class Replica(BaseServer):
     external_ca = None
     external_ca_type = None
     external_cert_files = None
-    dirsrv_cert_files = None
-    http_cert_files = None
-    pkinit_cert_files = None
-    dirsrv_pin = None
-    http_pin = None
-    pkinit_pin = None
-    dirsrv_cert_name = None
-    http_cert_name = None
-    pkinit_cert_name = None
     ca_cert_files = None
     subject = None
     ca_signing_algorithm = None
@@ -1189,16 +1280,37 @@ class Replica(BaseServer):
         self._top_dir = None
         self._config = None
         self._update_hosts_file = False
+        self._dirsrv_pkcs12_file = None
+        self._http_pkcs12_file = None
+        self._pkinit_pkcs12_file = None
+        self._dirsrv_pkcs12_info = None
+        self._http_pkcs12_info = None
+        self._pkinit_pkcs12_info = None
+
+        # pylint: disable=no-member
+
+        cert_file_req = (self.ca.dirsrv_cert_files, self.ca.http_cert_files)
+        cert_file_opt = (self.ca.pkinit_cert_files,)
 
         if self.replica_file is None:
             self.promote = True
+            # If any of the PKCS#12 options are selected, all are required.
+            if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
+                raise RuntimeError("--dirsrv-cert-file and --http-cert-file "
+                                   "are required if any PKCS#12 options are "
+                                   "used")
         else:
             if not ipautil.file_exists(self.replica_file):
                 raise RuntimeError("Replica file %s does not exist"
                                    % self.replica_file)
 
+            if any(cert_file_req + cert_file_opt):
+                raise RuntimeError("You cannot specify any of "
+                                   "--dirsrv-cert-file, --http-cert-file, or "
+                                   "--pkinit-cert-file together with replica "
+                                   "file")
+
         if self.setup_dns:
-            #pylint: disable=no-member
             if (not self.dns.forwarders and not self.dns.no_forwarders
                 and not self.dns.auto_forwarders):
                 raise RuntimeError(
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to