From 4e3c1051d029363a099312eac48f337244a5610c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 26 Mar 2013 18:06:50 +0100 Subject: Uninstall selfsign CA on upgrade This will convert a master with a selfsign CA to a CA-less one in ipa-upgradeconfig. The relevant files are left in place and can be used to manage certs manually. Part of the work for: https://fedorahosted.org/freeipa/ticket/3494 --- ipaserver/install/dsinstance.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'ipaserver/install/dsinstance.py') diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index be629b198..4b0c580a8 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -709,11 +709,7 @@ class DsInstance(service.Service): serverid = self.restore_state("serverid") if not serverid is None: - # drop the trailing / off the config_dirname so the directory - # will match what is in certmonger - dirname = config_dirname(serverid)[:-1] - dsdb = certs.CertDB(self.realm_name, nssdir=dirname) - dsdb.untrack_server_cert(self.nickname) + self.stop_tracking_certificates(serverid) erase_ds_instance_data(serverid) # At one time we removed this user on uninstall. That can potentially @@ -735,6 +731,16 @@ class DsInstance(service.Service): except Exception, e: root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e) + def stop_tracking_certificates(self, serverid=None): + if serverid is None: + serverid = self.get_state("serverid") + if not serverid is None: + # drop the trailing / off the config_dirname so the directory + # will match what is in certmonger + dirname = config_dirname(serverid)[:-1] + dsdb = certs.CertDB(self.realm_name, nssdir=dirname) + dsdb.untrack_server_cert(self.nickname) + # we could probably move this function into the service.Service # class - it's very generic - all we need is a way to get an # instance of a particular Service -- cgit