summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2014-10-13 14:17:19 +0200
committerMartin Kosek <mkosek@redhat.com>2014-10-17 12:53:11 +0200
commit6227ebb0cd2d8661d9233e26adb5e0bff7fe4c0d (patch)
tree8bb3ec28ae4a84268d8b035665d4ebaace8b6944
parentcbb4caa3500f528f47a32767cbd11ac176e4fdbe (diff)
downloadfreeipa-6227ebb0cd2d8661d9233e26adb5e0bff7fe4c0d.tar.gz
freeipa-6227ebb0cd2d8661d9233e26adb5e0bff7fe4c0d.tar.xz
freeipa-6227ebb0cd2d8661d9233e26adb5e0bff7fe4c0d.zip
Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig
It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as a source in the upload_cacrt update plugin. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
-rw-r--r--install/tools/ipa-upgradeconfig11
1 files changed, 5 insertions, 6 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 9844a5876..945a6f663 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1128,8 +1128,8 @@ def remove_ds_ra_cert(subject_base):
sysupgrade.set_upgrade_state('ds', 'remove_ra_cert', True)
-def fix_trust_flags(service, **kwargs):
- root_logger.info('[Fixing trust_flags in %s NSS database]' % service)
+def fix_trust_flags():
+ root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR)
if not api.env.enable_ra:
root_logger.info("CA is not enabled")
@@ -1139,13 +1139,13 @@ def fix_trust_flags(service, **kwargs):
root_logger.info("Trust flags already fixed")
return
- db = certs.CertDB(api.env.realm, **kwargs)
+ db = certs.CertDB(api.env.realm)
nickname = certdb.get_ca_nickname(api.env.realm)
cert = db.get_cert_from_db(nickname)
if cert:
db.trust_root_cert(nickname, 'CT,C,C')
- sysupgrade.set_upgrade_state(service, 'fix_trust_flags', True)
+ sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
def main():
@@ -1249,7 +1249,7 @@ def main():
http.change_mod_nss_port_from_http()
http.stop()
- fix_trust_flags('http')
+ fix_trust_flags()
http.start()
ds = dsinstance.DsInstance()
@@ -1258,7 +1258,6 @@ def main():
ds.stop(ds_serverid)
fix_schema_file_syntax()
remove_ds_ra_cert(subject_base)
- fix_trust_flags('ds', nssdir=ds_dirname)
ds.start(ds_serverid)
uninstall_selfsign(ds, http)