diff options
author | Martin Basti <mbasti@redhat.com> | 2015-12-10 13:46:07 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2015-12-14 11:48:40 +0100 |
commit | bf9a34f4cfc2c514ff53efea4ba56e2c0cb3033f (patch) | |
tree | ce3963ed08bf6005b1108a6a01deb1a8ced19423 | |
parent | 099cf98307d4b2f0ace5d5e28754f264808bf59d (diff) | |
download | freeipa-bf9a34f4cfc2c514ff53efea4ba56e2c0cb3033f.tar.gz freeipa-bf9a34f4cfc2c514ff53efea4ba56e2c0cb3033f.tar.xz freeipa-bf9a34f4cfc2c514ff53efea4ba56e2c0cb3033f.zip |
Install RA cert during replica promotion
This cert is needed with KRA to be able store and retrieve secrets.
https://fedorahosted.org/freeipa/ticket/5512
Reviewed-By: David Kupka <dkupka@redhat.com>
-rw-r--r-- | ipaserver/install/cainstance.py | 4 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 8 |
2 files changed, 8 insertions, 4 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 692cac00f..8378aea47 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1344,12 +1344,8 @@ class CAInstance(DogtagInstance): self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) - self.step("configure certmonger for renewals", - self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) - self.step("configure RA certificate renewal", - self.configure_agent_renewal) self.step("configure Server-Cert certificate renewal", self.track_servercert) self.step("Configure HTTP to proxy connections", diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 311f0e577..1d5b528c8 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1316,6 +1316,14 @@ def promote(installer): installer._ca_enabled) custodia.create_replica(config.master_host_name) + if installer._ca_enabled: + CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) + + CA.configure_certmonger_renewal() + CA.configure_agent_renewal() + cainstance.export_kra_agent_pem() + CA.fix_ra_perms() + krb = install_krb(config, setup_pkinit=not options.no_pkinit, promote=True) |