Do not create CA certificate files in CA-less server install.

The files are created later by ipa-client-install, there's no need to do it twice. This also fixes a bug in CA-less, where the CA certificate is not removed from /etc/pki/nssdb after client uninstall, because it has a different nickname. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2025-02-25 18:55:28 -06:00 · 2013-10-15 12:23:47 +00:00
parent fea7163e87
commit 65957b7eff
1 changed files with 4 additions and 15 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1103,6 +1103,10 @@ def main():

        # Now put the CA cert where other instances exepct it
        ca.publish_ca_cert(CACERT)
+    else:
+        # Put the CA cert where other instances expect it
+        shutil.copy(options.root_ca_file, CACERT)
+        os.chmod(CACERT, 0444)

    # we now need to enable ssl on the ds
    ds.enable_ssl()
@@ -1122,21 +1126,6 @@ def main():
        with open(options.root_ca_file) as f:
            pem_cert = f.read()

-        # Trust the CA cert
-        root_logger.info(
-            'Trusting certificate authority from %s' % options.root_ca_file)
-
-        certs.NSSDatabase('/etc/pki/nssdb').import_pem_cert(
-            'External CA cert', 'CT,,', options.root_ca_file)
-
-        # Put a CA cert where other instances expect it
-        with open(CACERT, 'wb') as f:
-            f.write(pem_cert)
-
-        # Install the CA cert for the HTTP server
-        with open('/usr/share/ipa/html/ca.crt', 'wb') as f:
-            f.write(pem_cert)
-
        # Upload the CA cert to the directory
        ds.upload_ca_dercert(base64.b64decode(x509.strip_header(pem_cert)))