From 0c3b7bd3b51626fc7f29c98087e1d59ea079bcda Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Thu, 1 Sep 2016 15:53:38 +0200

Subject: [PATCH] Fix ipa-certupdate for CA-less installation

In a CA-less installation, ipa-certupdate fails with the error message:

  $ ipa-certupdate

  trying https://vm-180.abc.idm.lab.eng.brq.redhat.com/ipa/session/json

  Forwarding 'ca_is_enabled' to json server 'https://vm-180.abc.idm.lab.eng.brq.redhat.com/ipa/session/json'

  Forwarding 'ca_find/1' to json server 'https://vm-180.abc.idm.lab.eng.brq.redhat.com/ipa/session/json'

  CA is not configured

  The ipa-certupdate command failed.

The issue happens because ipa-certupdate tries to call ca_find even on a

CA_less deployment. The fix skips the call to ca_find in this case.

https://fedorahosted.org/freeipa/ticket/6288

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>

---

 ipaclient/ipa_certupdate.py | 7 ++++---

 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py

index e59047a2705eb8ccb98b5213c4c8771f55a29bc5..f340f32bcdca5f5d98177f7aa9af366b67d8dd80 100644

--- a/ipaclient/ipa_certupdate.py

+++ b/ipaclient/ipa_certupdate.py

@@ -87,9 +87,10 @@ class CertUpdate(admintool.AdminTool):

             # find lightweight CAs (on renewal master only)

             lwcas = []

-            for ca_obj in api.Command.ca_find()['result']:

-                if IPA_CA_CN not in ca_obj['cn']:

-                    lwcas.append(ca_obj)

+            if ca_enabled:

+                for ca_obj in api.Command.ca_find()['result']:

+                    if IPA_CA_CN not in ca_obj['cn']:

+                        lwcas.append(ca_obj)

             api.Backend.rpcclient.disconnect()

         finally:

-- 

2.7.4