Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig

It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as
a source in the upload_cacrt update plugin.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>

1 files changed, 5 insertions, 6 deletions

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 9844a5876..945a6f663 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1128,8 +1128,8 @@ def remove_ds_ra_cert(subject_base):
     sysupgrade.set_upgrade_state('ds', 'remove_ra_cert', True)
 
 
-def fix_trust_flags(service, **kwargs):
-    root_logger.info('[Fixing trust_flags in %s NSS database]' % service)
+def fix_trust_flags():
+    root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR)
 
     if not api.env.enable_ra:
         root_logger.info("CA is not enabled")
@@ -1139,13 +1139,13 @@ def fix_trust_flags(service, **kwargs):
         root_logger.info("Trust flags already fixed")
         return
 
-    db = certs.CertDB(api.env.realm, **kwargs)
+    db = certs.CertDB(api.env.realm)
     nickname = certdb.get_ca_nickname(api.env.realm)
     cert = db.get_cert_from_db(nickname)
     if cert:
         db.trust_root_cert(nickname, 'CT,C,C')
 
-    sysupgrade.set_upgrade_state(service, 'fix_trust_flags', True)
+    sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
 def main():
@@ -1249,7 +1249,7 @@ def main():
     http.change_mod_nss_port_from_http()
 
     http.stop()
-    fix_trust_flags('http')
+    fix_trust_flags()
     http.start()
 
     ds = dsinstance.DsInstance()
@@ -1258,7 +1258,6 @@ def main():
     ds.stop(ds_serverid)
     fix_schema_file_syntax()
     remove_ds_ra_cert(subject_base)
-    fix_trust_flags('ds', nssdir=ds_dirname)
     ds.start(ds_serverid)
 
     uninstall_selfsign(ds, http)