From b043d78bf300a2ec7aa5cc73eb89c56334c6588e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 15 Mar 2023 12:00:46 +0100
Subject: [PATCH] Move client certificate request after krb5.conf is created
The creation of krb5.conf was moved to the end of the script
as part of maintaining server affinity during ipa-client-install.
If the installation is faster than replication then requests
against some IPA servers may fail because the client entry is
not yet present.
This is more difficult with certmonger as it will only use
/etc/krb5.conf. There is no way of knowing, even at the end
of the client installation, that replication has finished.
Certificate issuance may fail during ipa-client-install but
certmonger will re-try the request.
Fixes: https://pagure.io/freeipa/issue/9246
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaclient/install/client.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 0f42937997452e9c37a2c98477638de51cf46b90..fed649065c94d2f2623157b825b374b850a4a03e 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2836,8 +2836,6 @@ def _install(options, tdict):
if not options.on_master:
client_dns(cli_server[0], hostname, options)
- configure_certmonger(fstore, subject_base, cli_realm, hostname,
- options, ca_enabled)
update_ssh_keys(hostname, paths.SSH_CONFIG_DIR, options.create_sshfp)
@@ -3035,6 +3033,11 @@ def _install(options, tdict):
logger.info("Configured /etc/krb5.conf for IPA realm %s", cli_realm)
+ # Configure certmonger after krb5.conf is created and last
+ # to give higher chance that the new client is replicated.
+ configure_certmonger(fstore, subject_base, cli_realm, hostname,
+ options, ca_enabled)
+
logger.info('Client configuration complete.')
--
2.39.2