Uninstall selfsign CA on upgrade

This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3494

1 files changed, 5 insertions, 2 deletions

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index c34073546..e134fbef3 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -376,8 +376,7 @@ class HTTPInstance(service.Service):
         if not running is None:
             self.stop()
 
-        db = certs.CertDB(api.env.realm)
-        db.untrack_server_cert(self.cert_nickname)
+        self.stop_tracking_certificates()
         if not enabled is None and not enabled:
             self.disable()
 
@@ -404,3 +403,7 @@ class HTTPInstance(service.Service):
 
         if not running is None and running:
             self.start()
+
+    def stop_tracking_certificates(self):
+        db = certs.CertDB(api.env.realm)
+        db.untrack_server_cert(self.cert_nickname)