diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2016-02-22 15:05:35 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-02-24 10:53:28 +0100 |
| commit | 11592dde1b232a70f318e01f5271b38890090648 (patch) | |
| tree | 5aaeafb3a23893af2bc506c06c18404d930bd7f7 /client | |
| parent | 775ee77bcc091ba31fdd3e59f8d45d0b646a44a0 (diff) | |
| download | freeipa-11592dde1b232a70f318e01f5271b38890090648.tar.gz freeipa-11592dde1b232a70f318e01f5271b38890090648.tar.xz freeipa-11592dde1b232a70f318e01f5271b38890090648.zip | |
client: stop using /etc/pki/nssdb
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'client')
| -rwxr-xr-x | client/ipa-client-install | 30 | ||||
| -rw-r--r-- | client/man/ipa-client-install.1 | 2 |
2 files changed, 0 insertions, 32 deletions
diff --git a/client/ipa-client-install b/client/ipa-client-install index 072bf9d17..1e6112445 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -559,29 +559,12 @@ def uninstall(options, env): root_logger.error("%s failed to stop tracking certificate: %s", cmonger.service_name, e) - # Remove our host cert and CA cert - try: - ipa_certs = ipa_db.list_certs() - except CalledProcessError as e: - root_logger.error( - "Failed to list certificates in %s: %s", ipa_db.secdir, e) - ipa_certs = [] - for filename in (os.path.join(ipa_db.secdir, 'cert8.db'), os.path.join(ipa_db.secdir, 'key3.db'), os.path.join(ipa_db.secdir, 'secmod.db'), os.path.join(ipa_db.secdir, 'pwdfile.txt')): remove_file(filename) - for nickname, trust_flags in ipa_certs: - while sys_db.has_nickname(nickname): - try: - sys_db.delete_cert(nickname) - except Exception as e: - root_logger.error("Failed to remove %s from %s: %s", - nickname, sys_db.secdir, e) - break - # Remove any special principal names we added to the IPA CA helper certmonger.remove_principal_from_cas() @@ -2899,19 +2882,6 @@ def install(options, env, fstore, statestore): # Add the CA certificates to the platform-dependant systemwide CA store tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) - # Add the CA certificates to the default NSS database - root_logger.debug( - "Attempting to add CA certificates to the default NSS database.") - sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) - for cert, nickname, trust_flags in ca_certs_trust: - try: - sys_db.add_cert(cert, nickname, trust_flags) - except CalledProcessError as e: - root_logger.error( - "Failed to add %s to the default NSS database.", nickname) - return CLIENT_INSTALL_ERROR - root_logger.info("Added CA certificates to the default NSS database.") - if not options.on_master: client_dns(cli_server[0], hostname, options) configure_certmonger(fstore, subject_base, cli_realm, hostname, diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 index 494fd4952..92ea77a4b 100644 --- a/client/man/ipa-client-install.1 +++ b/client/man/ipa-client-install.1 @@ -266,8 +266,6 @@ Files updated, existing content is maintained: /etc/nsswitch.conf .br -/etc/pki/nssdb -.br /etc/krb5.keytab .br /etc/sysconfig/network |