From 75a3ede7107c07521a668bcfeb268a5024132731 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Dec 11 2017 08:59:50 +0000
Subject: ipa-ca-install: run certupdate as initial step


When installing a CA replica, perform a certupdate to ensure that
the relevant CA cert is present.  This is necessary if the admin has
just promoted the topology from CA-less to CA-ful but didn't
manually run ipa-certupdate afterwards.

Fixes: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 64478bb..9fdbb06 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -27,6 +27,7 @@ import tempfile
 from ipalib.install.kinit import kinit_keytab
 from ipapython import ipautil
 
+from ipaclient.install.ipa_certupdate import CertUpdate
 from ipaserver.install import installutils
 from ipaserver.install.installutils import create_replica_config
 from ipaserver.install.installutils import check_creds, ReplicaConfig
@@ -174,6 +175,16 @@ def install_replica(safe_options, options, filename):
             not options.skip_conncheck and options.unattended):
         sys.exit('admin password required')
 
+    # Run ipa-certupdate to ensure we have the CA cert.  This is
+    # necessary if the admin has just promoted the topology from
+    # CA-less to CA-ful, and ipa-certupdate has not been run yet.
+    CertUpdate.run_with_args(api)
+
+    # CertUpdate restarts DS causing broken pipe on the original
+    # connection, so reconnect the backend.
+    api.Backend.ldap2.disconnect()
+    api.Backend.ldap2.connect()
+
     if options.promote:
         config = ReplicaConfig()
         config.ca_host_name = None