From 65957b7effffc3b4235296eab70808d968bc1187 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 15 Oct 2013 12:23:47 +0000 Subject: [PATCH] Do not create CA certificate files in CA-less server install. The files are created later by ipa-client-install, there's no need to do it twice. This also fixes a bug in CA-less, where the CA certificate is not removed from /etc/pki/nssdb after client uninstall, because it has a different nickname. Reviewed-By: Petr Viktorin --- install/tools/ipa-server-install | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index fa1396b49..3069ba8d0 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1103,6 +1103,10 @@ def main(): # Now put the CA cert where other instances exepct it ca.publish_ca_cert(CACERT) + else: + # Put the CA cert where other instances expect it + shutil.copy(options.root_ca_file, CACERT) + os.chmod(CACERT, 0444) # we now need to enable ssl on the ds ds.enable_ssl() @@ -1122,21 +1126,6 @@ def main(): with open(options.root_ca_file) as f: pem_cert = f.read() - # Trust the CA cert - root_logger.info( - 'Trusting certificate authority from %s' % options.root_ca_file) - - certs.NSSDatabase('/etc/pki/nssdb').import_pem_cert( - 'External CA cert', 'CT,,', options.root_ca_file) - - # Put a CA cert where other instances expect it - with open(CACERT, 'wb') as f: - f.write(pem_cert) - - # Install the CA cert for the HTTP server - with open('/usr/share/ipa/html/ca.crt', 'wb') as f: - f.write(pem_cert) - # Upload the CA cert to the directory ds.upload_ca_dercert(base64.b64decode(x509.strip_header(pem_cert)))