From bf9a34f4cfc2c514ff53efea4ba56e2c0cb3033f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 10 Dec 2015 13:46:07 +0100 Subject: Install RA cert during replica promotion This cert is needed with KRA to be able store and retrieve secrets. https://fedorahosted.org/freeipa/ticket/5512 Reviewed-By: David Kupka --- ipaserver/install/cainstance.py | 4 ---- ipaserver/install/server/replicainstall.py | 8 ++++++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 692cac00f..8378aea47 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1344,12 +1344,8 @@ class CAInstance(DogtagInstance): self.step("setting audit signing renewal to 2 years", self.set_audit_renewal) - self.step("configure certmonger for renewals", - self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) - self.step("configure RA certificate renewal", - self.configure_agent_renewal) self.step("configure Server-Cert certificate renewal", self.track_servercert) self.step("Configure HTTP to proxy connections", diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 311f0e577..1d5b528c8 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1316,6 +1316,14 @@ def promote(installer): installer._ca_enabled) custodia.create_replica(config.master_host_name) + if installer._ca_enabled: + CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR) + + CA.configure_certmonger_renewal() + CA.configure_agent_renewal() + cainstance.export_kra_agent_pem() + CA.fix_ra_perms() + krb = install_krb(config, setup_pkinit=not options.no_pkinit, promote=True) -- cgit