From 78bf80e55dd74fc0279cf6a76345865b0d5e5d32 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 26 Oct 2018 18:12:29 +0200
Subject: [PATCH] Keep Dogtag's client db in external CA step 1

Don't remove /root/.dogtag/pki-tomcat when performing step 1 of external
CA installation process. Dogtag 10.6.7 changed behavior and no longer
re-creates the client database in step 2.

Fixes: https://pagure.io/freeipa/issue/7742
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 59c0eadf1..61ccb6dff 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -483,7 +483,12 @@ class CAInstance(DogtagInstance):
         try:
             self.start_creation(runtime=runtime)
         finally:
-            self.clean_pkispawn_files()
+            if self.external == 1:
+                # Don't remove client DB in external CA step 1
+                # https://pagure.io/freeipa/issue/7742
+                logger.debug("Keep pkispawn files for step 2")
+            else:
+                self.clean_pkispawn_files()
 
     def __spawn_instance(self):
         """
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index e71bf2900..142a8c0d7 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -167,11 +167,13 @@ class DogtagInstance(service.Service):
 
     def clean_pkispawn_files(self):
         if self.tmp_agent_db is not None:
+            logger.debug("Removing %s", self.tmp_agent_db)
             shutil.rmtree(self.tmp_agent_db, ignore_errors=True)
 
-        shutil.rmtree('/root/.dogtag/pki-tomcat/{subsystem}/'
-                      .format(subsystem=self.subsystem.lower()),
-                      ignore_errors=True)
+        client_dir = os.path.join(
+            '/root/.dogtag/pki-tomcat/', self.subsystem.lower())
+        logger.debug("Removing %s", client_dir)
+        shutil.rmtree(client_dir, ignore_errors=True)
 
     def restart_instance(self):
         self.restart('pki-tomcat')

From 6214fc51789dcfc70d4df18c0153877b92625ad2 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 26 Oct 2018 10:11:31 +0200
Subject: [PATCH] Use tasks.install_master() in external_ca tests

The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 620ed28c9..9889636ba 100644
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -292,7 +292,7 @@ def set_default_ttl_for_ipa_dns_zone(host, raiseonerr=True):
 
 def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
                    extra_args=(), domain_level=None, unattended=True,
-                   stdin_text=None, raiseonerr=True):
+                   external_ca=False, stdin_text=None, raiseonerr=True):
     if domain_level is None:
         domain_level = host.config.domain_level
     check_domain_level(domain_level)
@@ -321,11 +321,14 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
         args.append('--setup-kra')
     if setup_adtrust:
         args.append('--setup-adtrust')
+    if external_ca:
+        args.append('--external-ca')
 
     args.extend(extra_args)
     result = host.run_command(args, raiseonerr=raiseonerr,
                               stdin_text=stdin_text)
-    if result.returncode == 0:
+    if result.returncode == 0 and not external_ca:
+        # external CA step 1 doesn't have DS and KDC fully configured, yet
         enable_replication_debugging(host)
         setup_sssd_debugging(host)
         kinit_admin(host)
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index 33ba70f98..a8e0ea0bf 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -70,24 +70,12 @@ def match_in_journal(host, string, since='today', services=('certmonger',)):
 
 
 def install_server_external_ca_step1(host):
-    """funtion for step 1 to install the ipa server with external ca"""
-
-    args = ['ipa-server-install', '-U',
-            '-a', host.config.admin_password,
-            '-p', host.config.dirman_password,
-            '--setup-dns', '--no-forwarders',
-            '-n', host.domain.name,
-            '-r', host.domain.realm,
-            '--domain-level=%i' % host.config.domain_level,
-            '--external-ca']
-
-    cmd = host.run_command(args)
-    return cmd
+    """Step 1 to install the ipa server with external ca"""
+    return tasks.install_master(host, external_ca=True)
 
 
 def install_server_external_ca_step2(host, ipa_ca_cert, root_ca_cert):
-    """funtion for step 2 to install the ipa server with external ca"""
-
+    """Step 2 to install the ipa server with external ca"""
     args = ['ipa-server-install',
             '-a', host.config.admin_password,
             '-p', host.config.dirman_password,