certs: do not implicitly create DS pin.txt

Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

2 files changed, 2 insertions, 2 deletions

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 63e7887c4..9f340b867 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -635,7 +635,6 @@ class CertDB(object):
         self.cacert_name = ca_names[-1]
         self.trust_root_cert(self.cacert_name, trust_flags)
 
-        self.create_pin_file()
         self.export_ca_cert(nickname, False)
 
     def publish_ca_cert(self, location):
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 91cc180e6..79dc90e92 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -838,7 +838,8 @@ class DsInstance(service.Service):
                 certmonger.modify_ca_helper('IPA', prev_helper)
 
             self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
-            dsdb.create_pin_file()
+
+        dsdb.create_pin_file()
 
         self.cacert_name = dsdb.cacert_name