https://fedorahosted.org/freeipa/ticket/5512
patch attached.
From 75b69aee3e3911cdf66c0d6dd40c49fd0da61492 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Thu, 10 Dec 2015 13:46:07 +0100 Subject: [PATCH] Install RA cert during replica promotion This cert is needed with KRA to be able store and retrieve secrets. https://fedorahosted.org/freeipa/ticket/5512 --- ipaserver/install/cainstance.py | 4 ---- ipaserver/install/server/replicainstall.py | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 56ec3fe74e8d4adfe17f46a62f705021f6a81f75..99582b5e0d33afc1c97a8e5067a3a10498651869 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1335,12 +1335,8 @@ class CAInstance(DogtagInstance): self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) - self.step("configure certmonger for renewals", - self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) - self.step("configure RA certificate renewal", - self.configure_agent_renewal) self.step("configure Server-Cert certificate renewal", self.track_servercert) self.step("Configure HTTP to proxy connections", diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 4f239aacd50ab8692830a6f4505c66ba9b1518b2..bd2de16fc4a0ff5a050eebd942682e13de0b1583 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1282,6 +1282,14 @@ def promote(installer): installer._ca_enabled) custodia.create_replica(config.master_host_name) + if installer._ca_enabled: + CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) + + CA.configure_certmonger_renewal() + CA.configure_agent_renewal() + cainstance.export_kra_agent_pem() + CA.fix_ra_perms() + krb = install_krb(config, setup_pkinit=not options.no_pkinit, promote=True) -- 2.5.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code