Make CA-less ipa-server-install option --root-ca-file optional.

The CA cert specified by --root-ca-file option must always be the CA cert of
the CA which issued the server certificates in the PKCS#12 files. As the cert
is not actually user selectable, use CA cert from the PKCS#12 files by default
if it is present.

Document --root-ca-file in ipa-server-install man page.

https://fedorahosted.org/freeipa/ticket/4457

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index af5d21a2a..6300a14ae 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -154,7 +154,7 @@ class ServerCertInstall(admintool.AdminTool):
         os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
 
     def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command):
-        server_cert = installutils.check_pkcs12(
+        installutils.check_pkcs12(
             pkcs12_info=(self.pkcs12_fname, pkcs12_passwd),
             ca_file=CACERT,
             hostname=api.env.host)
@@ -166,6 +166,7 @@ class ServerCertInstall(admintool.AdminTool):
 
             cdb.delete_cert(old_cert)
             cdb.import_pkcs12(self.pkcs12_fname, pkcs12_passwd)
+            server_cert = cdb.find_server_certs()[0][0]
 
             if api.env.enable_ra:
                 cdb.track_server_cert(server_cert, principal, cdb.passwd_fname,