client: stop using /etc/pki/nssdb

Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.

https://fedorahosted.org/freeipa/ticket/5592

Reviewed-By: David Kupka <dkupka@redhat.com>

1 files changed, 2 insertions, 9 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 54a11bfc8..48fec9742 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -937,15 +937,8 @@ if [ $1 -gt 1 ] ; then
         fi
     fi
 
-    if [ ! -f '/etc/ipa/nssdb/cert8.db' -a $restore -ge 2 ]; then
-        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
-        tempfile=$(mktemp)
-        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        fi
-        rm -f "$tempfile"
+    if [ $restore -ge 2 ]; then
+        python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
     fi
 fi