install: Fix external CA server install

https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: David Kupka <dkupka@redhat.com>

2 files changed, 19 insertions, 20 deletions

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 8a8214c68..1ef8b2c41 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -25,9 +25,6 @@ def install_check(standalone, replica_config, options):
     host_name = options.host_name
     subject_base = options.subject
 
-    if replica_config is None and options.external_cert_files:
-        return
-
     if replica_config is not None:
         if standalone and api.env.ra_plugin == 'selfsign':
             sys.exit('A selfsign CA can not be added')
@@ -51,17 +48,7 @@ def install_check(standalone, replica_config, options):
     if standalone and api.Command.ca_is_enabled()['result']:
         sys.exit("CA is already installed.\n")
 
-    if options.external_ca:
-        if cainstance.is_step_one_done():
-            print("CA is already installed.\nRun the installer with "
-                  "--external-cert-file.")
-            sys.exit(1)
-        if ipautil.file_exists(paths.ROOT_IPA_CSR):
-            print("CA CSR file %s already exists.\nIn order to continue "
-                  "remove the file and run the installer again." %
-                  paths.ROOT_IPA_CSR)
-            sys.exit(1)
-    elif options.external_cert_files:
+    if options.external_cert_files:
         if not cainstance.is_step_one_done():
             # This can happen if someone passes external_ca_file without
             # already having done the first stage of the CA install.
@@ -72,10 +59,21 @@ def install_check(standalone, replica_config, options):
 
         external_cert_file, external_ca_file = installutils.load_external_cert(
             options.external_cert_files, options.subject)
+    elif options.external_ca:
+        if cainstance.is_step_one_done():
+            print("CA is already installed.\nRun the installer with "
+                  "--external-cert-file.")
+            sys.exit(1)
+        if ipautil.file_exists(paths.ROOT_IPA_CSR):
+            print("CA CSR file %s already exists.\nIn order to continue "
+                  "remove the file and run the installer again." %
+                  paths.ROOT_IPA_CSR)
+            sys.exit(1)
 
-    if not cainstance.check_port():
-        print ("IPA requires port 8443 for PKI but it is currently in use.")
-        sys.exit("Aborting installation")
+    if not options.external_cert_files:
+        if not cainstance.check_port():
+            print("IPA requires port 8443 for PKI but it is currently in use.")
+            sys.exit("Aborting installation")
 
     if standalone:
         dirname = dsinstance.config_dirname(
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 6f47723bb..faa96127a 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -422,8 +422,6 @@ def install_check(options):
         # Make sure the 389-ds ports are available
         check_dirsrv(options.unattended)
 
-    ca.install_check(False, None, options)
-
     if options.conf_ntp:
         try:
             ipaclient.ntpconf.check_timedate_services()
@@ -578,6 +576,9 @@ def install_check(options):
     else:
         admin_password = options.admin_password
 
+    if setup_ca:
+        ca.install_check(False, None, options)
+
     if setup_kra:
         try:
             kra.install_check(None, options, False,
@@ -760,7 +761,7 @@ def install(options):
             options.subject, 1101, 1100, None)
 
     if setup_ca:
-        if options.external_ca:
+        if not options.external_cert_files and options.external_ca:
             # stage 1 of external CA installation
             options.realm_name = realm_name
             options.domain_name = domain_name