Uninstall selfsign CA on upgrade

This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3494

1 files changed, 11 insertions, 5 deletions

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index be629b198..4b0c580a8 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -709,11 +709,7 @@ class DsInstance(service.Service):
 
         serverid = self.restore_state("serverid")
         if not serverid is None:
-            # drop the trailing / off the config_dirname so the directory
-            # will match what is in certmonger
-            dirname = config_dirname(serverid)[:-1]
-            dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
-            dsdb.untrack_server_cert(self.nickname)
+            self.stop_tracking_certificates(serverid)
             erase_ds_instance_data(serverid)
 
         # At one time we removed this user on uninstall. That can potentially
@@ -735,6 +731,16 @@ class DsInstance(service.Service):
             except Exception, e:
                 root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e)
 
+    def stop_tracking_certificates(self, serverid=None):
+        if serverid is None:
+            serverid = self.get_state("serverid")
+        if not serverid is None:
+            # drop the trailing / off the config_dirname so the directory
+            # will match what is in certmonger
+            dirname = config_dirname(serverid)[:-1]
+            dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
+            dsdb.untrack_server_cert(self.nickname)
+
     # we could probably move this function into the service.Service
     # class - it's very generic - all we need is a way to get an
     # instance of a particular Service