diff options
author | Florence Blanc-Renaud <flo@redhat.com> | 2016-11-09 15:14:27 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-11-25 09:26:22 +0100 |
commit | 044d887e81d433b43c33b076a21fd1054796786e (patch) | |
tree | fd3ab4eb1e8003e006ed75eb0ef80e383cc3aa0f /ipalib/text.py | |
parent | e617f895e70e6812836870f504af6e22a5dc7def (diff) | |
download | freeipa-044d887e81d433b43c33b076a21fd1054796786e.tar.gz freeipa-044d887e81d433b43c33b076a21fd1054796786e.tar.xz freeipa-044d887e81d433b43c33b076a21fd1054796786e.zip |
Fix ipa-replica-install when upgrade from ca-less to ca-full
When ipa-replica-prepare is run on a master upgraded from CA-less to
CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt.
This causes issues if this file hasn't been updated with ipa-certupdate,
as it contains the external CA that signed http/ldap certs, but not
the newly installed IPA CA.
As a consequence, ipa-replica-install fails with "Could not find a CA cert".
The fix consists in retrieving the CA certificates from LDAP instead of
the local /etc/ipa/ca.crt.
https://fedorahosted.org/freeipa/ticket/6375
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Diffstat (limited to 'ipalib/text.py')
0 files changed, 0 insertions, 0 deletions