From 253140ed59fed21ecbda8c795484935173e9da05 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Jan 29 2013 14:42:35 +0000
Subject: Add the CA cert to LDAP after the CA install


The DS is installed before the CA cert is generated. Trying to
add the cert to LDAP before it exists resulted in a nasty-looking
error message.

This moves the cert upload to after the CA cert is ready and the
certdb is created.

Move the cert upload to after thecertdb is generated.

https://fedorahosted.org/freeipa/ticket/3375

---

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 9bb4046..1559107 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1030,6 +1030,9 @@ def main():
             ca.enable_client_auth_to_db()
             ca.restart()
 
+    # Upload the CA cert to the directory
+    ds.upload_ca_cert()
+
     # Create a kerberos instance
     if options.pkinit_pin:
         [pw_fd, pw_name] = tempfile.mkstemp()
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 76ef687..367496f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -262,7 +262,6 @@ class DsInstance(service.Service):
         self.step("adding range check plugin", self.__add_range_check_plugin)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
-        self.step("Upload CA cert to the directory", self.__upload_ca_cert)
 
         self.__common_post_setup()
 
@@ -589,7 +588,7 @@ class DsInstance(service.Service):
         # check for open secure port 636 from now on
         self.open_ports.append(636)
 
-    def __upload_ca_cert(self):
+    def upload_ca_cert(self):
         """
         Upload the CA certificate in DER form in the LDAP directory.
         """