server upgrade: fix upgrade from pre-4.0

update_ca_renewal_master uses ipaCert certmonger tracking information to
decide whether the local server is the CA renewal master or not. The
information is lost when migrating from /etc/httpd/alias to
/var/lib/ipa/radb in update_ra_cert_store.

Make sure update_ra_cert_store is executed after update_ca_renewal_master
so that correct information is used.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

3 files changed, 3 insertions, 2 deletions

diff --git a/install/updates/05-pre_upgrade_plugins.update b/install/updates/05-pre_upgrade_plugins.update
index 19918efc6..d0e3eb7ce 100644
--- a/install/updates/05-pre_upgrade_plugins.update
+++ b/install/updates/05-pre_upgrade_plugins.update
@@ -8,4 +8,3 @@ plugin: update_referint
 plugin: update_uniqueness_plugins_to_new_syntax
 
 # last
-plugin: update_ra_cert_store
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 7c672e404..34069e745 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -15,6 +15,8 @@ plugin: update_idrange_type
 plugin: update_pacs
 plugin: update_service_principalalias
 plugin: update_upload_cacrt
+# update_ra_cert_store has to be executed after update_ca_renewal_master
+plugin: update_ra_cert_store
 
 # last
 # DNS version 1
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index 4fa4edb12..2447a3406 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -74,7 +74,7 @@ class update_ca_renewal_master(Updater):
                 return False, []
 
         criteria = {
-            'cert-database': paths.IPA_RADB_DIR,
+            'cert-database': paths.HTTPD_ALIAS_DIR,
             'cert-nickname': 'ipaCert',
         }
         request_id = certmonger.get_request_id(criteria)