From 1ab5b1a4cdcab8b913f42488ae642a9f0ef77d92 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Mon, 5 Jun 2017 12:42:52 +0000

Subject: [PATCH] server upgrade: do not enable PKINIT by default

Enabling PKINIT often fails during server upgrade when requesting the KDC

certificate.

Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid

the upgrade failure by not enabling PKINIT by default.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 ipaserver/install/server/upgrade.py | 10 ++--------

 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index db86353165809c57d1ac27bf762393721231fefd..b1f59d3e29d69bffc11935ec22d4b5f510293355 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -1519,14 +1519,8 @@ def add_default_caacl(ca):

 def setup_pkinit(krb):

     root_logger.info("[Setup PKINIT]")

-    pkinit_is_enabled = krbinstance.is_pkinit_enabled()

-    ca_is_enabled = api.Command.ca_is_enabled()['result']

-

-    if not pkinit_is_enabled:

-        if ca_is_enabled:

-            krb.issue_ipa_ca_signed_pkinit_certs()

-        else:

-            krb.issue_selfsigned_pkinit_certs()

+    if not krbinstance.is_pkinit_enabled():

+        krb.issue_selfsigned_pkinit_certs()

     aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD,

                  loadpath=paths.USR_SHARE_IPA_DIR)

-- 

2.9.4