Generate a database password by default in all cases.

If the password passed in when creating a NSS certificate database is None
then a random password is generated. If it is empty ('') then an empty
password is set.

Because of this the HTTP instance on replicas were created with an empty
password.

https://fedorahosted.org/freeipa/ticket/1407

2 files changed, 2 insertions, 2 deletions

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 522d3f576..1bbcbabe6 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -914,7 +914,7 @@ class CertDB(object):
         self.export_ca_cert(self.cacert_name, True)
         self.create_pin_file()
 
-    def create_from_cacert(self, cacert_fname, passwd=""):
+    def create_from_cacert(self, cacert_fname, passwd=None):
         if ipautil.file_exists(self.certdb_fname):
             # We already have a cert db, see if it is for the same CA.
             # If it is we leave things as they are.
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 26fde51f9..d2eb27c96 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -177,7 +177,7 @@ class HTTPInstance(service.Service):
 
         db = certs.CertDB(self.realm, subject_base=self.subject_base)
         if self.pkcs12_info:
-            db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="")
+            db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd=None)
             server_certs = db.find_server_certs()
             if len(server_certs) == 0:
                 raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])