Separate RA cert store from the HTTP cert store

This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

4 files changed, 9 insertions, 6 deletions

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index cb8f93b5f..750893dac 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -208,7 +208,9 @@ def request_cert():
                   "Forwarding request to dogtag-ipa-renew-agent")
 
     path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
-    args = [path] + sys.argv[1:] + ['--submit-option', "requestor_name=IPA"]
+    args = [path, '--dbdir', paths.IPA_RADB_DIR]
+    args.extend(sys.argv[1:])
+    args.extend(['--submit-option', "requestor_name=IPA"])
     if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
         args += ['-N', '-O', 'bypassCAnotafter=true']
     result = ipautil.run(args, raiseonerr=False, env=os.environ,
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index f494380e6..2d534d443 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -28,7 +28,7 @@ import os
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
 from ipaserver.install import (replication, installutils, bindinstance,
-    cainstance, certs)
+    cainstance)
 from ipalib import api, errors
 from ipalib.util import has_managed_topology
 from ipapython import ipautil, ipaldap, version
@@ -275,7 +275,7 @@ def del_master(realm, hostname, options):
             sys.exit("There were issues removing a connection: %s" % e)
 
     # 6. Pick CA renewal master
-    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    ca = cainstance.CAInstance(api.env.realm)
     if ca.is_renewal_master(hostname):
         ca.set_renewal_master(options.host)
 
@@ -379,7 +379,7 @@ def set_renewal_master(realm, replica):
     if not replica:
         replica = installutils.get_fqdn()
 
-    ca = cainstance.CAInstance(realm, certs.NSS_DIR)
+    ca = cainstance.CAInstance(realm)
     if ca.is_renewal_master(replica):
         sys.exit("%s is already the renewal master" % replica)
 
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 56cb90bea..f802201b7 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -36,7 +36,7 @@ from six.moves.xmlrpc_client import MAXINT
 from ipaclient.install import ipadiscovery
 from ipapython import ipautil
 from ipaserver.install import replication, dsinstance, installutils
-from ipaserver.install import bindinstance, cainstance, certs
+from ipaserver.install import bindinstance, cainstance
 from ipaserver.install import opendnssecinstance, dnskeysyncinstance
 from ipapython import version, ipaldap
 from ipalib import api, errors
@@ -890,7 +890,7 @@ def ensure_last_services(conn, hostname, masters, options):
             print("Please disable or replace DNSSEC key master first.")
             sys.exit("Deletion aborted")
 
-    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    ca = cainstance.CAInstance(api.env.realm)
     if ca.is_renewal_master(hostname):
         try:
             ca.set_renewal_master(options.host)
diff --git a/install/updates/05-pre_upgrade_plugins.update b/install/updates/05-pre_upgrade_plugins.update
index d0e3eb7ce..19918efc6 100644
--- a/install/updates/05-pre_upgrade_plugins.update
+++ b/install/updates/05-pre_upgrade_plugins.update
@@ -8,3 +8,4 @@ plugin: update_referint
 plugin: update_uniqueness_plugins_to_new_syntax
 
 # last
+plugin: update_ra_cert_store