From 8a7e79a7a6fad8dc87c8f148cb5098434f988ea3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Nov 11 2016 11:13:56 +0000
Subject: replica install: use one remote CA host name everywhere


Remote master and CA host names may differ. Always use the remote CA host
name and never the remote master host name in CA replica install.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 079773d..aaacf44 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -138,7 +138,7 @@ def install_replica(safe_options, options, filename):
 
     if options.promote:
         config = ReplicaConfig()
-        config.master_host_name = None
+        config.ca_host_name = None
         config.realm_name = api.env.realm
         config.host_name = api.env.host
         config.domain_name = api.env.domain
@@ -149,6 +149,7 @@ def install_replica(safe_options, options, filename):
         cafile = paths.IPA_CA_CRT
     else:
         config = create_replica_config(dirman_password, filename, options)
+        config.ca_host_name = config.master_host_name
         cafile = config.dir + '/ca.crt'
 
     global REPLICA_INFO_TOP_DIR
@@ -159,12 +160,9 @@ def install_replica(safe_options, options, filename):
         attrs = api.Backend.ldap2.get_ipa_config()
         config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
 
-    if config.master_host_name is None:
+    if config.ca_host_name is None:
         config.ca_host_name = \
             service.find_providing_server('CA', api.Backend.ldap2, api.env.ca_host)
-        config.master_host_name = config.ca_host_name
-    else:
-        config.ca_host_name = config.master_host_name
 
     options.realm_name = config.realm_name
     options.domain_name = config.domain_name
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 921e494..cd594c2 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -38,7 +38,7 @@ def install_check(standalone, replica_config, options):
         if standalone and not options.skip_conncheck:
             principal = options.principal
             replica_conn_check(
-                replica_config.master_host_name, host_name, realm_name, True,
+                replica_config.ca_host_name, host_name, realm_name, True,
                 replica_config.ca_ds_port, options.admin_password,
                 principal=principal, ca_cert_file=options.ca_cert_file)
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 48b66e2..d7dffbe 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1349,7 +1349,7 @@ def replica_ca_install_check(config):
         return
 
     # Check if the master has the necessary schema in its CA instance
-    ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port)
+    ca_ldap_url = 'ldap://%s:%s' % (config.ca_host_name, config.ca_ds_port)
     objectclass = 'ipaObject'
     root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
     try:
@@ -1418,7 +1418,7 @@ def install_replica_ca(config, postinstall=False, ra_p12=None):
     ca.configure_instance(config.host_name,
                           config.dirman_password, config.dirman_password,
                           pkcs12_info=(cafile,), ra_p12=ra_p12,
-                          master_host=config.master_host_name,
+                          master_host=config.ca_host_name,
                           master_replication_port=config.ca_ds_port,
                           subject_base=config.subject_base)
 
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 5ea93ae..96f4adb 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -549,9 +549,10 @@ def install_check(installer):
             raise ScriptError("Directory Manager password required")
 
     config = create_replica_config(dirman_password, filename, options)
-    installer._top_dir = config.top_dir
+    config.ca_host_name = config.master_host_name
     config.setup_ca = options.setup_ca
     config.setup_kra = options.setup_kra
+    installer._top_dir = config.top_dir
 
     ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
 
@@ -576,7 +577,7 @@ def install_check(installer):
             fd.write("dogtag_version=10\n")
 
             if not config.setup_ca:
-                fd.write("ca_host={0}\n".format(config.master_host_name))
+                fd.write("ca_host={0}\n".format(config.ca_host_name))
         else:
             fd.write("enable_ra=False\n")
             fd.write("ra_plugin=none\n")
@@ -1258,7 +1259,8 @@ def promote_check(installer):
             config.subject_base = DN(subject_base)
 
         # Find if any server has a CA
-        ca_host = service.find_providing_server('CA', conn, api.env.server)
+        ca_host = service.find_providing_server(
+                'CA', conn, config.ca_host_name)
         if ca_host is not None:
             config.ca_host_name = ca_host
             ca_enabled = True