From 5dbb3101cee7a96ec8eef40be8e802d456c0d06c Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 22 Jan 2024 08:36:27 -0500 Subject: [PATCH] Server affinity: call ca.install() if there is a CA in the topology This should not have been gated on options.setup_ca because we need the RA agent on all servers if there is a CA in the topology otherwise the non-CA servers won't be able to communicate with the CA. Fixes: https://pagure.io/freeipa/issue/9510 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipaserver/install/ca.py | 7 ++++--- ipaserver/install/server/replicainstall.py | 7 +++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index c93ae1fce..187f8032b 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia): promote = False else: cafile = os.path.join(replica_config.dir, 'cacert.p12') - custodia.get_ca_keys( - cafile, - replica_config.dirman_password) + if replica_config.setup_ca: + custodia.get_ca_keys( + cafile, + replica_config.dirman_password) ca_signing_algorithm = None ca_type = None diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 191913ddb..b3fd27e6a 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1382,11 +1382,13 @@ def install(installer): custodia = custodiainstance.get_custodia_instance(config, mode) custodia.create_instance() - if options.setup_ca and ca_enabled: + if ca_enabled: options.realm_name = config.realm_name options.domain_name = config.domain_name options.host_name = config.host_name options.dm_password = config.dirman_password + # Always call ca.install() if there is a CA in the topology + # to ensure the RA agent is present. ca.install(False, config, options, custodia=custodia) # configure PKINIT now that all required services are in place @@ -1398,7 +1400,8 @@ def install(installer): service.print_msg("Finalize replication settings") ds.finalize_replica_config() - if options.setup_kra and kra_enabled: + if kra_enabled: + # The KRA installer checks for itself the status of setup_kra kra.install(api, config, options, custodia=custodia) service.print_msg("Restarting the KDC") -- 2.43.0