diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-02-22 15:05:35 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-02-24 10:53:28 +0100 |
commit | 11592dde1b232a70f318e01f5271b38890090648 (patch) | |
tree | 5aaeafb3a23893af2bc506c06c18404d930bd7f7 /ipaclient/ipa_certupdate.py | |
parent | 775ee77bcc091ba31fdd3e59f8d45d0b646a44a0 (diff) | |
download | freeipa-11592dde1b232a70f318e01f5271b38890090648.tar.gz freeipa-11592dde1b232a70f318e01f5271b38890090648.tar.xz freeipa-11592dde1b232a70f318e01f5271b38890090648.zip |
client: stop using /etc/pki/nssdb
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipaclient/ipa_certupdate.py')
-rw-r--r-- | ipaclient/ipa_certupdate.py | 12 |
1 files changed, 0 insertions, 12 deletions
diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py index 9d14f6a00..b9572196c 100644 --- a/ipaclient/ipa_certupdate.py +++ b/ipaclient/ipa_certupdate.py @@ -95,17 +95,6 @@ class CertUpdate(admintool.AdminTool): self.update_file(paths.IPA_CA_CRT, certs) ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) - sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) - - # Remove IPA certs from /etc/pki/nssdb - for nickname, trust_flags in ipa_db.list_certs(): - while sys_db.has_nickname(nickname): - try: - sys_db.delete_cert(nickname) - except ipautil.CalledProcessError as e: - self.log.error("Failed to remove %s from %s: %s", - nickname, sys_db.secdir, e) - break # Remove old IPA certs from /etc/ipa/nssdb for nickname in ('IPA CA', 'External CA cert'): @@ -118,7 +107,6 @@ class CertUpdate(admintool.AdminTool): break self.update_db(ipa_db.secdir, certs) - self.update_db(sys_db.secdir, certs) tasks.remove_ca_certs_from_systemwide_ca_store() tasks.insert_ca_certs_into_systemwide_ca_store(certs) |