Uninstall selfsign CA on upgrade

This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3494

4 files changed, 43 insertions, 8 deletions

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index dbbffe32..8ae54894 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -29,6 +29,7 @@ import os
 import shutil
 import pwd
 import fileinput
+import ConfigParser
 
 from ipalib import api
 import ipalib.util
@@ -757,6 +758,25 @@ def add_ca_dns_records():
 
     sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
 
+def uninstall_selfsign(ds, http):
+    root_logger.info('[Removing self-signed CA]')
+    """Replace self-signed CA by a CA-less install"""
+    if api.env.ra_plugin != 'selfsign':
+        root_logger.debug('Self-signed CA is not installed')
+        return
+
+    root_logger.warning(
+        'Removing self-signed CA. Certificates will need to managed manually.')
+    p = ConfigParser.SafeConfigParser()
+    p.read('/etc/ipa/default.conf')
+    p.set('global', 'enable_ra', 'False')
+    p.set('global', 'ra_plugin', 'none')
+    with open('/etc/ipa/default.conf', 'w') as f:
+        p.write(f)
+
+    ds.stop_tracking_certificates()
+    http.stop_tracking_certificates()
+
 def main():
     """
     Get some basics about the system. If getting those basics fail then
@@ -834,6 +854,10 @@ def main():
     http.remove_httpd_ccache()
     http.configure_selinux_for_httpd()
 
+    ds = dsinstance.DsInstance()
+
+    uninstall_selfsign(ds, http)
+
     memcache = memcacheinstance.MemcacheInstance()
     memcache.ldapi = True
     memcache.realm = api.env.realm
@@ -841,7 +865,6 @@ def main():
         if not memcache.is_configured():
             # 389-ds needs to be running to create the memcache instance
             # because we record the new service in cn=masters.
-            ds = dsinstance.DsInstance()
             ds.start()
             memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm))
     except ipalib.errors.DuplicateEntry:
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index be629b19..4b0c580a 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -709,11 +709,7 @@ class DsInstance(service.Service):
 
         serverid = self.restore_state("serverid")
         if not serverid is None:
-            # drop the trailing / off the config_dirname so the directory
-            # will match what is in certmonger
-            dirname = config_dirname(serverid)[:-1]
-            dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
-            dsdb.untrack_server_cert(self.nickname)
+            self.stop_tracking_certificates(serverid)
             erase_ds_instance_data(serverid)
 
         # At one time we removed this user on uninstall. That can potentially
@@ -735,6 +731,16 @@ class DsInstance(service.Service):
             except Exception, e:
                 root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e)
 
+    def stop_tracking_certificates(self, serverid=None):
+        if serverid is None:
+            serverid = self.get_state("serverid")
+        if not serverid is None:
+            # drop the trailing / off the config_dirname so the directory
+            # will match what is in certmonger
+            dirname = config_dirname(serverid)[:-1]
+            dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
+            dsdb.untrack_server_cert(self.nickname)
+
     # we could probably move this function into the service.Service
     # class - it's very generic - all we need is a way to get an
     # instance of a particular Service
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index c3407354..e134fbef 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -376,8 +376,7 @@ class HTTPInstance(service.Service):
         if not running is None:
             self.stop()
 
-        db = certs.CertDB(api.env.realm)
-        db.untrack_server_cert(self.cert_nickname)
+        self.stop_tracking_certificates()
         if not enabled is None and not enabled:
             self.disable()
 
@@ -404,3 +403,7 @@ class HTTPInstance(service.Service):
 
         if not running is None and running:
             self.start()
+
+    def stop_tracking_certificates(self):
+        db = certs.CertDB(api.env.realm)
+        db.untrack_server_cert(self.cert_nickname)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 83ade903..8f4a7dbb 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -292,6 +292,9 @@ class Service(object):
     def restore_state(self, key):
         return self.sstore.restore_state(self.service_name, key)
 
+    def get_state(self, key):
+        return self.sstore.get_state(self.service_name, key)
+
     def print_msg(self, message):
         print_msg(message, self.output_fd)