diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-10-15 12:23:47 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 16:54:54 +0100 |
commit | 65957b7effffc3b4235296eab70808d968bc1187 (patch) | |
tree | 08d78cb21da16bd63f02ae459abc8e6c779f70aa /install | |
parent | fea7163e87ef7b2e46fa18dc77836ec9ee92ce02 (diff) | |
download | freeipa-65957b7effffc3b4235296eab70808d968bc1187.tar.gz freeipa-65957b7effffc3b4235296eab70808d968bc1187.tar.xz freeipa-65957b7effffc3b4235296eab70808d968bc1187.zip |
Do not create CA certificate files in CA-less server install.
The files are created later by ipa-client-install, there's no need to do it
twice.
This also fixes a bug in CA-less, where the CA certificate is not removed from
/etc/pki/nssdb after client uninstall, because it has a different nickname.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install')
-rwxr-xr-x | install/tools/ipa-server-install | 19 |
1 files changed, 4 insertions, 15 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index fa1396b49..3069ba8d0 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1103,6 +1103,10 @@ def main(): # Now put the CA cert where other instances exepct it ca.publish_ca_cert(CACERT) + else: + # Put the CA cert where other instances expect it + shutil.copy(options.root_ca_file, CACERT) + os.chmod(CACERT, 0444) # we now need to enable ssl on the ds ds.enable_ssl() @@ -1122,21 +1126,6 @@ def main(): with open(options.root_ca_file) as f: pem_cert = f.read() - # Trust the CA cert - root_logger.info( - 'Trusting certificate authority from %s' % options.root_ca_file) - - certs.NSSDatabase('/etc/pki/nssdb').import_pem_cert( - 'External CA cert', 'CT,,', options.root_ca_file) - - # Put a CA cert where other instances expect it - with open(CACERT, 'wb') as f: - f.write(pem_cert) - - # Install the CA cert for the HTTP server - with open('/usr/share/ipa/html/ca.crt', 'wb') as f: - f.write(pem_cert) - # Upload the CA cert to the directory ds.upload_ca_dercert(base64.b64decode(x509.strip_header(pem_cert))) |