Add the CA cert to LDAP after the CA install

The DS is installed before the CA cert is generated. Trying to
add the cert to LDAP before it exists resulted in a nasty-looking
error message.

This moves the cert upload to after the CA cert is ready and the
certdb is created.

Move the cert upload to after thecertdb is generated.

https://fedorahosted.org/freeipa/ticket/3375

2 files changed, 4 insertions, 2 deletions

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 9bb404615..15591071b 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1030,6 +1030,9 @@ def main():
             ca.enable_client_auth_to_db()
             ca.restart()
 
+    # Upload the CA cert to the directory
+    ds.upload_ca_cert()
+
     # Create a kerberos instance
     if options.pkinit_pin:
         [pw_fd, pw_name] = tempfile.mkstemp()
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 76ef68726..367496f18 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -262,7 +262,6 @@ class DsInstance(service.Service):
         self.step("adding range check plugin", self.__add_range_check_plugin)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
-        self.step("Upload CA cert to the directory", self.__upload_ca_cert)
 
         self.__common_post_setup()
 
@@ -589,7 +588,7 @@ class DsInstance(service.Service):
         # check for open secure port 636 from now on
         self.open_ports.append(636)
 
-    def __upload_ca_cert(self):
+    def upload_ca_cert(self):
         """
         Upload the CA certificate in DER form in the LDAP directory.
         """