From 1ab5b1a4cdcab8b913f42488ae642a9f0ef77d92 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 5 Jun 2017 12:42:52 +0000
Subject: [PATCH] server upgrade: do not enable PKINIT by default

Enabling PKINIT often fails during server upgrade when requesting the KDC
certificate.

Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid
the upgrade failure by not enabling PKINIT by default.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/server/upgrade.py | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index db86353165809c57d1ac27bf762393721231fefd..b1f59d3e29d69bffc11935ec22d4b5f510293355 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1519,14 +1519,8 @@ def add_default_caacl(ca):
 def setup_pkinit(krb):
     root_logger.info("[Setup PKINIT]")
 
-    pkinit_is_enabled = krbinstance.is_pkinit_enabled()
-    ca_is_enabled = api.Command.ca_is_enabled()['result']
-
-    if not pkinit_is_enabled:
-        if ca_is_enabled:
-            krb.issue_ipa_ca_signed_pkinit_certs()
-        else:
-            krb.issue_selfsigned_pkinit_certs()
+    if not krbinstance.is_pkinit_enabled():
+        krb.issue_selfsigned_pkinit_certs()
 
     aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD,
                  loadpath=paths.USR_SHARE_IPA_DIR)
-- 
2.9.4