diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2016-02-22 15:05:35 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-02-24 10:53:28 +0100 |
| commit | 11592dde1b232a70f318e01f5271b38890090648 (patch) | |
| tree | 5aaeafb3a23893af2bc506c06c18404d930bd7f7 /ipaserver/install | |
| parent | 775ee77bcc091ba31fdd3e59f8d45d0b646a44a0 (diff) | |
| download | freeipa-11592dde1b232a70f318e01f5271b38890090648.tar.gz freeipa-11592dde1b232a70f318e01f5271b38890090648.tar.xz freeipa-11592dde1b232a70f318e01f5271b38890090648.zip | |
client: stop using /etc/pki/nssdb
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipaserver/install')
| -rw-r--r-- | ipaserver/install/ipa_backup.py | 3 | ||||
| -rw-r--r-- | ipaserver/install/ipa_restore.py | 21 |
2 files changed, 5 insertions, 19 deletions
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index d49576d7d..ae387ad8d 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -173,8 +173,7 @@ class Backup(admintool.AdminTool): paths.IPA_DNSKEYSYNCD_KEYTAB, paths.HOSTS, ) + tuple( - os.path.join(base, file) - for base in (paths.NSS_DB_DIR, paths.IPA_NSSDB_DIR) + os.path.join(paths.IPA_NSSDB_DIR, file) for file in ('cert8.db', 'key3.db', 'secmod.db') ) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 2c53f038b..b6ac51102 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -831,23 +831,10 @@ class Restore(admintool.AdminTool): tasks.remove_ca_certs_from_systemwide_ca_store() def cert_restore(self): - if not os.path.exists(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db')): - certdb.create_ipa_nssdb() - ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) - sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) - for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): - try: - cert = sys_db.get_cert(nickname) - except RuntimeError: - pass - else: - try: - ipa_db.add_cert(cert, nickname, trust_flags) - except ipautil.CalledProcessError as e: - self.log.error( - "Failed to add %s to %s: %s" % - (nickname, paths.IPA_NSSDB_DIR, e)) + try: + certdb.update_ipa_nssdb() + except RuntimeError as e: + self.log.error("%s", e) tasks.reload_systemwide_ca_store() |