From 0772ef20b39b11950fddc913a350534988294c89 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Jun 06 2017 11:27:44 +0000 Subject: server upgrade: do not enable PKINIT by default Enabling PKINIT often fails during server upgrade when requesting the KDC certificate. Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid the upgrade failure by not enabling PKINIT by default. https://pagure.io/freeipa/issue/7000 Reviewed-By: Martin Babinsky --- diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 3e2abef..870bc08 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1523,14 +1523,8 @@ def add_default_caacl(ca): def setup_pkinit(krb): root_logger.info("[Setup PKINIT]") - pkinit_is_enabled = krbinstance.is_pkinit_enabled() - ca_is_enabled = api.Command.ca_is_enabled()['result'] - - if not pkinit_is_enabled: - if ca_is_enabled: - krb.issue_ipa_ca_signed_pkinit_certs() - else: - krb.issue_selfsigned_pkinit_certs() + if not krbinstance.is_pkinit_enabled(): + krb.issue_selfsigned_pkinit_certs() aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD, loadpath=paths.USR_SHARE_IPA_DIR)