Separate RA cert store from the HTTP cert store

This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 7 insertions, 4 deletions

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ed7203d6f..f0b04523c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -77,9 +77,12 @@ def make_pkcs12_info(directory, cert_name, password_name):
 def install_http_certs(host_name, realm_name, subject_base):
     principal = 'HTTP/%s@%s' % (host_name, realm_name)
     # Obtain certificate for the HTTP service
-    nssdir = certs.NSS_DIR
+    http = httpinstance.HTTPInstance()
+    http.create_password_conf()
+    nssdir = paths.HTTPD_ALIAS_DIR
+    subject = subject_base or DN(('O', realm_name))
     db = certs.CertDB(realm_name, nssdir=nssdir, subject_base=subject_base)
-    db.request_service_cert('Server-Cert', principal, host_name, True)
+    db.request_service_cert('Server-Cert', principal, host_name)
 
 
 def install_replica_ds(config, options, ca_is_configured, remote_api,
@@ -1332,9 +1335,9 @@ def install(installer):
 
     dsinstance.create_ds_user()
 
-    # create /etc/httpd/alias NSS Database
+    # create NSS Databases
     http_instance = httpinstance.HTTPInstance()
-    http_instance.create_cert_db()
+    http_instance.create_cert_dbs()
 
     try:
         conn.connect(ccache=ccache)