client: stop using /etc/pki/nssdb

Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.

https://fedorahosted.org/freeipa/ticket/5592

Reviewed-By: David Kupka <dkupka@redhat.com>

1 files changed, 29 insertions, 0 deletions

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 1e6c63a15..aea50a81f 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -56,6 +56,35 @@ def create_ipa_nssdb():
     os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
 
 
+def update_ipa_nssdb():
+    ipa_db = NSSDatabase(paths.IPA_NSSDB_DIR)
+    sys_db = NSSDatabase(paths.NSS_DB_DIR)
+
+    if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
+        create_ipa_nssdb()
+
+    for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
+                                  ('External CA cert', 'C,,')):
+        try:
+            cert = sys_db.get_cert(nickname)
+        except RuntimeError:
+            continue
+        try:
+            ipa_db.add_cert(cert, nickname, trust_flags)
+        except ipautil.CalledProcessError as e:
+            raise RuntimeError("Failed to add %s to %s: %s" %
+                               (nickname, ipa_db.secdir, e))
+
+    # Remove IPA certs from /etc/pki/nssdb
+    for nickname, trust_flags in ipa_db.list_certs():
+        while sys_db.has_nickname(nickname):
+            try:
+                sys_db.delete_cert(nickname)
+            except ipautil.CalledProcessError as e:
+                raise RuntimeError("Failed to remove %s from %s: %s" %
+                                   (nickname, sys_db.secdir, e))
+
+
 def find_cert_from_txt(cert, start=0):
     """
     Given a cert blob (str) which may or may not contian leading and