From 573f13228da7d711d3b22fa7f78f4a78e199288b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 27 Mar 2018 16:59:55 -0400
Subject: [PATCH] Fix certificate retrieval in ipa-replica-prepare for DL0

The NSSDatabase object doesn't know the format of an NSS database
until the database is created so an explcit call to nssdb.create_db.

https://pagure.io/freeipa/issue/7469

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
 ipaserver/install/certs.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 02b28a1bf..2ee8da4df 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -569,8 +569,16 @@ class CertDB(object):
         ])
 
     def create_from_cacert(self):
+        """
+        Ensure that a CA chain is in the NSS database.
+
+        If an NSS database already exists ensure that the CA chain
+        we want to load is in there and if not add it. If there is no
+        database then create an NSS database and load the CA chain.
+        """
         cacert_fname = paths.IPA_CA_CRT
-        if os.path.isfile(self.certdb_fname):
+
+        if self.nssdb.exists():
             # We already have a cert db, see if it is for the same CA.
             # If it is we leave things as they are.
             with open(cacert_fname, "r") as f: