Separate RA cert store from the HTTP cert store

This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>

3 files changed, 17 insertions, 17 deletions

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index f7db25ce3..49806159d 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -31,7 +31,7 @@ from ipalib.util import (
 )
 import ipaclient.install.ntpconf
 from ipaserver.install import (
-    bindinstance, ca, cainstance, certs, dns, dsinstance,
+    bindinstance, ca, certs, dns, dsinstance,
     httpinstance, installutils, kra, krbinstance,
     ntpinstance, otpdinstance, custodiainstance, replication, service,
     sysupgrade)
@@ -716,8 +716,9 @@ def install(installer):
     # Make sure tmpfiles dir exist before installing components
     tasks.create_tmpfiles_dirs()
 
+    # create NSS Databases
     http_instance = httpinstance.HTTPInstance()
-    http_instance.create_cert_db()
+    http_instance.create_cert_dbs()
 
     # Create DS user/group if it doesn't exist yet
     dsinstance.create_ds_user()
@@ -782,8 +783,8 @@ def install(installer):
         ca.install_step_0(False, None, options)
 
         # Now put the CA cert where other instances exepct it
-        ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR)
-        ca_instance.publish_ca_cert(paths.IPA_CA_CRT)
+        ca_db = certs.CertDB(realm_name)
+        ca_db.publish_ca_cert(paths.IPA_CA_CRT)
     else:
         # Put the CA cert where other instances expect it
         x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
@@ -834,11 +835,6 @@ def install(installer):
             ca_is_configured=setup_ca)
     tasks.restore_context(paths.CACHE_IPA_SESSIONS)
 
-    # Export full CA chain
-    ca_db = certs.CertDB(realm_name)
-    os.chmod(paths.IPA_CA_CRT, 0o644)
-    ca_db.publish_ca_cert(paths.IPA_CA_CRT)
-
     ca.set_subject_base_in_config(options.subject_base)
 
     # Apply any LDAP updates. Needs to be done after the configuration file
@@ -1107,7 +1103,8 @@ def uninstall(installer):
     # Note that this name will be wrong after the first uninstall.
     dirname = dsinstance.config_dirname(
         installutils.realm_to_serverid(api.env.realm))
-    dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, certs.NSS_DIR]
+    dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR,
+            paths.IPA_RADB_DIR]
     ids = certmonger.check_state(dirs)
     if ids:
         root_logger.error('Some certificates may still be tracked by '
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0747feec6..60df15d0c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -77,9 +77,12 @@ def make_pkcs12_info(directory, cert_name, password_name):
 def install_http_certs(host_name, realm_name, subject_base):
     principal = 'HTTP/%s@%s' % (host_name, realm_name)
     # Obtain certificate for the HTTP service
-    nssdir = certs.NSS_DIR
+    http = httpinstance.HTTPInstance()
+    http.create_password_conf()
+    nssdir = paths.HTTPD_ALIAS_DIR
+    subject = subject_base or DN(('O', realm_name))
     db = certs.CertDB(realm_name, nssdir=nssdir, subject_base=subject_base)
-    db.request_service_cert('Server-Cert', principal, host_name, True)
+    db.request_service_cert('Server-Cert', principal, host_name)
 
 
 def install_replica_ds(config, options, ca_is_configured, remote_api,
@@ -1331,9 +1334,9 @@ def install(installer):
 
     dsinstance.create_ds_user()
 
-    # create /etc/httpd/alias NSS Database
+    # create NSS Databases
     http_instance = httpinstance.HTTPInstance()
-    http_instance.create_cert_db()
+    http_instance.create_cert_dbs()
 
     try:
         conn.connect(ccache=ccache)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 6919f521e..549158270 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -919,7 +919,7 @@ def certificate_renewal_update(ca, ds, http):
             'ipaCACertRenewal',
         ),
         (
-            paths.HTTPD_ALIAS_DIR,
+            paths.IPA_RADB_DIR,
             'ipaCert',
             'dogtag-ipa-ca-renew-agent',
             template % 'renew_ra_cert_pre',
@@ -1374,7 +1374,7 @@ def fix_trust_flags():
         root_logger.info("CA is not enabled")
         return
 
-    db = certs.CertDB(api.env.realm)
+    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
     nickname = certdb.get_ca_nickname(api.env.realm)
     cert = db.get_cert_from_db(nickname)
     if cert:
@@ -1540,7 +1540,7 @@ def upgrade_configuration():
         sub_dict['SUBJECT_BASE'] = subject_base
 
     ca = cainstance.CAInstance(
-            api.env.realm, certs.NSS_DIR, host_name=api.env.host)
+            api.env.realm, paths.IPA_RADB_DIR, host_name=api.env.host)
     ca_running = ca.is_running()
 
     with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):