diff options
-rwxr-xr-x | install/tools/ipa-ca-install | 13 | ||||
-rwxr-xr-x | install/tools/ipa-replica-prepare | 3 | ||||
-rw-r--r-- | ipaserver/install/certs.py | 13 |
3 files changed, 22 insertions, 7 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 453877457..37fa6269b 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -83,6 +83,12 @@ def main(): if not dsinstance.DsInstance().is_configured(): sys.exit("IPA server is not configured on this system.\n") + api.bootstrap(in_server=True) + api.finalize() + + if certs.ipa_self_signed(): + sys.exit('A selfsign CA can not be added') + # get the directory manager password dirman_password = options.password if not dirman_password: @@ -129,16 +135,9 @@ def main(): if not options.skip_conncheck: replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password) - api.bootstrap(in_server=True) - api.finalize() - # Configure the CA if necessary (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) - if not CA: - # not a dogtag CA replica - sys.exit("Not a dogtag CA installation!") - # We need to ldap_enable the CA now that DS is up and running CA.ldap_enable('CA', config.host_name, config.dirman_password, util.realm_to_suffix(config.realm_name)) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 16536b378..038fd69c9 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -243,6 +243,9 @@ def main(): if not options.pkinit_pkcs12 and not certs.ipa_self_signed(): options.setup_pkinit = False + if certs.ipa_self_signed_master() == False: + sys.exit('A selfsign CA backend can only prepare on the original master') + try: installutils.verify_fqdn(replica_fqdn, system_name_check=False) except RuntimeError, e: diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index affa26127..feac48a89 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -65,6 +65,19 @@ def ipa_self_signed(): else: return False +def ipa_self_signed_master(): + """ + The selfsign backend is enabled only one a single master. + + Return True/False whether this is that master. + + Returns None if not a self-signed server. + """ + if ipa_self_signed(): + return api.env.enable_ra + else: + return None + def find_cert_from_txt(cert, start=0): """ Given a cert blob (str) which may or may not contian leading and |