client.postinst: Use update_ipa_nssdb(), which also removes remnants from /etc/pki/nssdb.

2025-01-26 08:06:30 -06:00 · 2016-12-01 08:52:29 +02:00 · 2016-12-01 08:52:29 +02:00 · 8de1b80a85
commit 8de1b80a85
parent 960e945bf3
2 changed files with 4 additions and 10 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -6,6 +6,8 @@ freeipa (4.4.2-1) UNRELEASED; urgency=medium
  * work-around-apache-fail.diff: Dropped, apache supports systemd now
    so this should not be needed.
  * watch: Use https url.
+  * client.postinst: Use update_ipa_nssdb(), which also removes remnants
+    from /etc/pki/nssdb.

 -- Timo Aaltonen <tjaalton@debian.org>  Thu, 01 Dec 2016 08:25:03 +0200

--- a/debian/freeipa-client.postinst
+++ b/debian/freeipa-client.postinst
@ -4,16 +4,8 @@ set -e
 LOGFILE=/var/log/ipaclient-upgrade.log

 if [ "$1" = configure ]; then
-    if [ ! -f /etc/ipa/nssdb/cert8.db ]; then
-        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
-        tmp=$(mktemp) || exit
-        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tmp" 2>$LOGFILE; then
-            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tmp" >$LOGFILE 2>&1
-        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tmp" 2>$LOGFILE; then
-            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tmp" >$LOGFILE 2>&1
-        fi
-        rm -f "$tmp"
-    fi
+    python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' \
+        > /var/log/$LOGFILE 2>&1
 fi

 if [ ! -e /run/ipa ]; then