Split CA replica installation steps for domain level 0

Installation from replica file is broken because lightweight CA
replication setup is attempted before Kerberos is set up.  To fix
the issue, explicitly execute step 1 before Kerberos setup, and
step 2 afterwards.

Part of: https://fedorahosted.org/freeipa/ticket/5963

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index e6e43024d..9d05a0be5 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -819,12 +819,17 @@ def install(installer):
         if ca_enabled:
             options.ra_p12 = config.dir + "/ra.p12"
 
-        ca.install(False, config, options)
+        ca.install_step_0(False, config, options)
 
     krb = install_krb(config, setup_pkinit=not options.no_pkinit)
     http = install_http(config, auto_redirect=not options.no_ui_redirect,
                         ca_is_configured=ca_enabled)
 
+    if config.setup_ca:
+        # Done after install_krb() because lightweight CA key
+        # retrieval setup needs to create kerberos principal.
+        ca.install_step_1(False, config, options)
+
     otpd = otpdinstance.OtpdInstance()
     otpd.create_instance('OTPD', config.host_name, config.dirman_password,
                          ipautil.realm_to_suffix(config.realm_name))