From 80115a38d78db0c2a31dea06786af41eafb234f0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 1 Feb 2016 12:59:04 +0100
Subject: [PATCH] always start certmonger during IPA server configuration
 upgrade

This patch fixes a regression introduced by commit
bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56. Instead of checking whether
there is CA installed in the topology, we should always start certmonger
service during upgrade regardless when CA was configured.

https://fedorahosted.org/freeipa/ticket/5655

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/server/upgrade.py | 33 +++++----------------------------
 1 file changed, 5 insertions(+), 28 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 616fba5c1a5b3737481aecbb09ab5344641a3b04..1f1cfeb672809c0298c69c121ac38d6c7a482d11 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -292,24 +292,6 @@ def setup_firefox_extension(fstore):
     http.setup_firefox_extension(realm, domain)
 
 
-def is_ca_enabled():
-    """
-    check whether there is an active CA master
-    :return: True if there is an active CA in topology, False otherwise
-    """
-    ldap2 = api.Backend.ldap2
-    was_connected = ldap2.isconnected()
-
-    if not was_connected:
-        ldap2.connect()
-
-    try:
-        return api.Command.ca_is_enabled()['result']
-    finally:
-        if not was_connected:
-            ldap2.disconnect()
-
-
 def ca_configure_profiles_acl(ca):
     root_logger.info('[Authorizing RA Agent to modify profiles]')
 
@@ -1420,6 +1402,10 @@ def upgrade_configuration():
             )
         upgrade_pki(ca, fstore)
 
+    certmonger_service = services.knownservices.certmonger
+    if ca.is_configured() and not certmonger_service.is_running():
+        certmonger_service.start()
+
     ca.configure_certmonger_renewal_guard()
 
     update_dbmodules(api.env.realm)
@@ -1435,8 +1421,7 @@ def upgrade_configuration():
     http.configure_selinux_for_httpd()
     http.change_mod_nss_port_from_http()
 
-    if is_ca_enabled():
-        http.configure_certmonger_renewal_guard()
+    http.configure_certmonger_renewal_guard()
 
     ds.configure_dirsrv_ccache()
 
@@ -1582,14 +1567,6 @@ def upgrade_check(options):
         print unicode(e)
         sys.exit(1)
 
-    try:
-        ca_is_enabled = is_ca_enabled()
-    except Exception as e:
-        raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
-
-    if not services.knownservices.certmonger.is_running() and ca_is_enabled:
-        raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.')
-
     if not options.skip_version_check:
         # check IPA version and data version
         try:
-- 
2.5.0