Free NSS objects in --external-ca scenario

In external CA installation, ipa-server-install leaked NSS objects
which caused an installation crash later when a subsequent call of
NSSConnection tried to free them.

Properly freeing the NSS objects avoid this crash.

https://fedorahosted.org/freeipa/ticket/3773

freeipa.spec.in

@@ -134,7 +134,7 @@ Requires(post): systemd-units
 Requires: selinux-policy >= 3.12.1-65
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.44
-Requires: pki-ca >= 10.0.2
+Requires: pki-ca >= 10.0.4
 Requires: dogtag-pki-server-theme
 %if 0%{?rhel}
 Requires: subscription-manager
@@ -829,6 +829,9 @@ fi
 %endif  # ! %{ONLY_CLIENT}
 
 %changelog
+* Fri Jul 26 2013 Martin Kosek <mkosek@redhat.com> - 3.2.99-12
+- Require pki-ca 10.0.4 which fixes external CA installation (#986901)
+
 * Wed Jul 24 2013 Petr Viktorin <pviktori@redhat.com> - 3.2.99-11
 - Add tar and xz dependencies to freeipa-tests
 

install/tools/ipa-server-install

@@ -698,18 +698,23 @@ def main():
             sys.exit(1)
 
         certdict = dict((DN(str(cert.subject)), cert) for cert in extchain)
+        del extchain
         certissuer = DN(str(extcert.issuer))
         if certissuer not in certdict:
             print "The external certificate is not signed by the external CA (unknown issuer %s)." % certissuer
             sys.exit(1)
 
         cert = extcert
+        del extcert
         while cert.issuer != cert.subject:
             certissuer = DN(str(cert.issuer))
             if certissuer not in certdict:
                 print "The external CA chain is incomplete (%s is missing from the chain)." % certissuer
                 sys.exit(1)
+            del cert
             cert = certdict[certissuer]
+        del certdict
+        del cert
 
     # We only set up the CA if the PKCS#12 options are not given.
     if options.dirsrv_pkcs12: