freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.

debian/changelog

@@ -21,6 +21,7 @@ freeipa (4.1.4-1) UNRELEASED; urgency=medium
   * control: Server needs newer python-ldap, bump build-dep too.
   * control: Bump certmonger depends.
   * control: Bump python-nss depends.
+  * freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.
 
  -- Timo Aaltonen <tjaalton@debian.org>  Thu, 02 Apr 2015 13:16:49 +0300
 

debian/freeipa-client.dirs

@@ -1,3 +1,4 @@
 etc/ipa
+etc/ipa/nssdb
 etc/pki/nssdb
 var/lib/ipa-client/sysrestore

debian/freeipa-client.postinst

@@ -2,14 +2,23 @@
 set -e
 
 if [ "$1" = configure ]; then
-    if [ ! -e /etc/pki/nssdb ]; then
+    if [ ! -f /etc/pki/nssdb/cert8.db ]; then
         tmp=$(mktemp) || exit
         printf "\n" > $tmp
-        mkdir -p /etc/pki/nssdb
         certutil -N -d /etc/pki/nssdb -f $tmp
         chmod 644 /etc/pki/nssdb/*
         rm $tmp
     fi
+    if [ ! -f /etc/ipa/nssdb/cert8.db ]; then
+        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
+        tmp=$(mktemp) || exit
+        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
+            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
+        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tmp" 2>/var/log/ipaupgrade.log; then
+            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tmp" >/var/log/ipaupgrade.log 2>&1
+        fi
+        rm -f "$tmp"
+    fi
 fi
 
 if [ ! -e /run/ipa ]; then

debian/freeipa-client.postrm

@@ -7,6 +7,13 @@ if [ "$1" = purge ]; then
     rm -f /etc/pki/nssdb/cert8.db \
           /etc/pki/nssdb/key3.db \
           /etc/pki/nssdb/secmod.db
+    rm -f /etc/ipa/nssdb/cert8.db \
+          /etc/ipa/nssdb/key3.db \
+          /etc/ipa/nssdb/pwdfile.txt \
+          /etc/ipa/nssdb/secmod.db
+    rmdir /etc/pki/nssdb
+    rmdir /etc/ipa/nssdb
+    rmdir /etc/ipa
 fi
 
 #DEBHELPER#