Trying to get a certificate in a kick start fails because the certmonger daemon cannot be started by systemd because systemd doesn't allow services to run in a chroot. This is affecting ipa-client-install in a kickstart enrollment.
As a workaround we'd like to be able to request a certificate without starting the daemon, understanding that it's a one-shot deal and that monitoring won't take place until reboot.
Now that the IPA install scripts are calling out to the cert monger daemon directly over D-Bus, 'getcert' isn't invoked, so it's no longer in a position to handle all of this automatically.
Most likely this means we need to add logic to the IPA install scripts to detect when the system bus isn't running, and for that case, fire up a private copy of the daemon to talk to, preferably shutting it down cleanly after it's told certmonger what it needs (and maybe attempting to run 'restorecon' afterward).
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1234919 (Red Hat Enterprise Linux 7)
This shall be done within 4.2.x line.
master:
ipa-4-2:
Metadata Update from @pvoborni: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.