No longer generate a machine certificate on client installs

https://fedorahosted.org/freeipa/ticket/4449

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

1 files changed, 2 insertions, 66 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 05adf0dad..b3da28df1 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -529,7 +529,8 @@ def uninstall(options, env):
     client_nss_nickname = client_nss_nickname_format % hostname
 
     # Always start certmonger. We can't untrack something if it isn't
-    # running
+    # running. Note that this is legacy code to untrack any certificates
+    # that were created by previous versions of this installer.
     messagebus = services.knownservices.messagebus
     try:
         messagebus.start()
@@ -1099,69 +1100,6 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
 
     return 0
 
-def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
-                         remote_env):
-    started = True
-    principal = 'host/%s@%s' % (hostname, cli_realm)
-
-    messagebus = services.knownservices.messagebus
-    try:
-        messagebus.start()
-    except Exception, e:
-        log_service_error(messagebus.service_name, 'start', e)
-
-    # Ensure that certmonger has been started at least once to generate the
-    # cas files in /var/lib/certmonger/cas.
-    cmonger = services.knownservices.certmonger
-    try:
-        cmonger.restart()
-    except Exception, e:
-        log_service_error(cmonger.service_name, 'restart', e)
-
-    if options.hostname:
-        # It needs to be stopped if we touch them
-        try:
-            cmonger.stop()
-        except Exception, e:
-            log_service_error(cmonger.service_name, 'stop', e)
-        # If the hostname is explicitly set then we need to tell certmonger
-        # which principal name to use when requesting certs.
-        certmonger.add_principal_to_cas(principal)
-
-    try:
-        cmonger.restart()
-    except Exception, e:
-        log_service_error(cmonger.service_name, 'restart', e)
-        root_logger.warning(
-            "Automatic certificate management will not be available")
-        started = False
-
-    try:
-        cmonger.enable()
-    except Exception, e:
-        root_logger.error(
-            "Failed to configure automatic startup of the %s daemon: %s",
-            cmonger.service_name, str(e))
-        root_logger.warning(
-            "Automatic certificate management will not be available")
-
-    # Request our host cert
-    if remote_env['enable_ra']:
-        if started:
-            client_nss_nickname = client_nss_nickname_format % hostname
-            subject = DN(('CN', hostname), subject_base)
-            try:
-                run(["ipa-getcert", "request", "-d", paths.NSS_DB_DIR,
-                     "-n", client_nss_nickname, "-N", str(subject),
-                     "-K", principal])
-            except Exception:
-                root_logger.error("%s request for host certificate failed",
-                                  cmonger.service_name)
-    else:
-        root_logger.warning(
-            "A RA is not configured on the server. "
-            "Not requesting host certificate.")
-
 def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
     try:
         sssdconfig = SSSDConfig.SSSDConfig()
@@ -2696,8 +2634,6 @@ def install(options, env, fstore, statestore):
 
     if not options.on_master:
         client_dns(cli_server[0], hostname, options.dns_updates)
-        configure_certmonger(fstore, subject_base, cli_realm, hostname,
-                             options, remote_env)
 
     update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp)