Do not create CA certificate files in CA-less server install.

The files are created later by ipa-client-install, there's no need to do it
twice.

This also fixes a bug in CA-less, where the CA certificate is not removed from
/etc/pki/nssdb after client uninstall, because it has a different nickname.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

1 files changed, 4 insertions, 15 deletions

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index fa1396b49..3069ba8d0 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1103,6 +1103,10 @@ def main():
 
         # Now put the CA cert where other instances exepct it
         ca.publish_ca_cert(CACERT)
+    else:
+        # Put the CA cert where other instances expect it
+        shutil.copy(options.root_ca_file, CACERT)
+        os.chmod(CACERT, 0444)
 
     # we now need to enable ssl on the ds
     ds.enable_ssl()
@@ -1122,21 +1126,6 @@ def main():
         with open(options.root_ca_file) as f:
             pem_cert = f.read()
 
-        # Trust the CA cert
-        root_logger.info(
-            'Trusting certificate authority from %s' % options.root_ca_file)
-
-        certs.NSSDatabase('/etc/pki/nssdb').import_pem_cert(
-            'External CA cert', 'CT,,', options.root_ca_file)
-
-        # Put a CA cert where other instances expect it
-        with open(CACERT, 'wb') as f:
-            f.write(pem_cert)
-
-        # Install the CA cert for the HTTP server
-        with open('/usr/share/ipa/html/ca.crt', 'wb') as f:
-            f.write(pem_cert)
-
         # Upload the CA cert to the directory
         ds.upload_ca_dercert(base64.b64decode(x509.strip_header(pem_cert)))