server install: do not attempt to issue PKINIT cert in CA-less

Require the user to provide the PKINIT cert with --pkinit-cert-file or
disable PKINIT with --no-pkinit in CA-less ipa-server-install,
ipa-replica-prepare and ipa-replica-install.

Do not attempt to issue the PKINIT cert in CA-less ipa-server-upgrade.

https://pagure.io/freeipa/issue/5678

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

3 files changed, 46 insertions, 23 deletions

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 5f6b6e957..da13e7407 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -160,16 +160,21 @@ class ReplicaPrepare(admintool.AdminTool):
             self.option_parser.error("You cannot specify a --reverse-zone "
                 "option together with --no-reverse")
 
-        #Automatically disable pkinit w/ dogtag until that is supported
-        options.setup_pkinit = False
-
         # If any of the PKCS#12 options are selected, all are required.
         cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
         cert_file_opt = (options.pkinit_cert_files,)
+        if options.setup_pkinit:
+            cert_file_req += cert_file_opt
         if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
             self.option_parser.error(
-                "--dirsrv-cert-file and --http-cert-file are required if any "
-                "PKCS#12 options are used.")
+                "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
+                "or --no-pkinit are required if any key file options are used."
+            )
+        if not options.setup_pkinit and options.pkinit_cert_files:
+            self.option_parser.error(
+                "--no-pkinit and --pkinit-cert-file cannot be specified "
+                "together"
+            )
 
         if len(self.args) < 1:
             self.option_parser.error(
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 743da8d67..65dfa21c9 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -347,10 +347,18 @@ class ServerInstallInterface(client.ClientInstallInterface,
         # If any of the key file options are selected, all are required.
         cert_file_req = (self.dirsrv_cert_files, self.http_cert_files)
         cert_file_opt = (self.pkinit_cert_files,)
+        if not self.no_pkinit:
+            cert_file_req += cert_file_opt
         if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
             raise RuntimeError(
-                "--dirsrv-cert-file and --http-cert-file are required if any "
-                "key file options are used.")
+                "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
+                "or --no-pkinit are required if any key file options are used."
+            )
+        if self.no_pkinit and self.pkinit_cert_files:
+            raise RuntimeError(
+                "--no-pkinit and --pkinit-cert-file cannot be specified "
+                "together"
+            )
 
         if not self.interactive:
             if self.dirsrv_cert_files and self.dirsrv_pin is None:
@@ -511,9 +519,6 @@ class ServerInstallInterface(client.ClientInstallInterface,
                         "You must specify at least one of --forwarder, "
                         "--auto-forwarders, or --no-forwarders options")
 
-        # Automatically enable pkinit w/ dogtag
-        self.no_pkinit = not self.setup_ca
-
 
 ServerMasterInstallInterface = installs_master(ServerInstallInterface)
 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index d7271e595..b19c2f0ae 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1495,6 +1495,31 @@ def enable_anonymous_principal(krb):
         pass
 
 
+def setup_pkinit(krb):
+    root_logger.info("[Setup PKINIT]")
+
+    if os.path.exists(paths.KDC_CERT):
+        root_logger.info("PKINIT already set up")
+        return
+
+    if not api.Command.ca_is_enabled()['result']:
+        root_logger.info("CA is not enabled")
+        return
+
+    krb.setup_pkinit()
+    replacevars = dict()
+    replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
+        paths.KDC_CERT,paths.KDC_KEY)
+    appendvars = {}
+    ipautil.backup_config_and_replace_variables(
+        krb.fstore, paths.KRB5KDC_KDC_CONF, replacevars=replacevars,
+        appendvars=appendvars)
+    tasks.restore_context(paths.KRB5KDC_KDC_CONF)
+    if krb.is_running():
+        krb.stop()
+    krb.start()
+
+
 def upgrade_configuration():
     """
     Execute configuration upgrade of the IPA services
@@ -1763,19 +1788,7 @@ def upgrade_configuration():
                         KDC_CERT=paths.KDC_CERT,
                         KDC_KEY=paths.KDC_KEY,
                         CACERT_PEM=paths.CACERT_PEM)
-    if not os.path.exists(paths.KDC_CERT):
-        krb.setup_pkinit()
-        replacevars = dict()
-        replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
-            paths.KDC_CERT,paths.KDC_KEY)
-        appendvars = {}
-        ipautil.backup_config_and_replace_variables(
-            fstore, paths.KRB5KDC_KDC_CONF, replacevars=replacevars,
-            appendvars=appendvars)
-        tasks.restore_context(paths.KRB5KDC_KDC_CONF)
-        if krb.is_running():
-            krb.stop()
-        krb.start()
+    setup_pkinit(krb)
     enable_anonymous_principal(krb)
     http.request_anon_keytab()