2 files changed, 8 insertions, 5 deletions

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 6da7f6dbf..e39da4a21 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -36,6 +36,7 @@ from ipapython import ipautil
 from ipapython.dn import DN
 from ipalib import api, errors, pkcs10, x509
 from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install import cainstance, certs
 
 # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See
 # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more
@@ -256,7 +257,11 @@ def main():
     if profile:
         handler = handlers.get(profile, request_and_store_cert)
     else:
-        handler = request_and_store_cert
+        ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+        if ca.is_renewal_master():
+            handler = request_and_store_cert
+        else:
+            handler = retrieve_cert
 
     res = handler()
     for item in res[1:]:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 99c008a67..6180e42b7 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -925,8 +925,7 @@ class CAInstance(service.Service):
                 pinfile='/etc/httpd/alias/pwdfile.txt',
                 secdir='/etc/httpd/alias',
                 pre_command=None,
-                post_command='restart_httpd',
-                profile='ipaRetrieval')
+                post_command='restart_httpd')
         except (ipautil.CalledProcessError, RuntimeError), e:
             root_logger.error(
                 "certmonger failed to start tracking certificate: %s" % str(e))
@@ -1504,8 +1503,7 @@ class CAInstance(service.Service):
                     pinfile=None,
                     secdir=self.dogtag_constants.ALIAS_DIR,
                     pre_command='stop_pkicad',
-                    post_command='restart_pkicad "%s"' % nickname,
-                    profile='ipaRetrieval')
+                    post_command='restart_pkicad "%s"' % nickname)
             except (ipautil.CalledProcessError, RuntimeError), e:
                 root_logger.error(
                     "certmonger failed to start tracking certificate: "