certs: do not re-create NSS database when requesting service cert

`CertDB.request_service_cert` could re-create NSSDB files if the supplied CA certificate was not found in database. This could cause subtle bugs since the files were recreated with wrong permissions. This behavior was removed so that there are no destructive operations performed by the method. https://fedorahosted.org/freeipa/ticket/6429 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-11-01 14:02:27 +01:00 · 2016-11-01 14:02:27 +01:00 · 8e36e03091
commit 8e36e03091
parent 89bb5ed1eb
2 changed files with 1 additions and 1 deletions
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@ -645,7 +645,6 @@ class CertDB(object):
        return self.nssdb.export_pem_cert(nickname, location)

    def request_service_cert(self, nickname, principal, host, pwdconf=False):
-        self.create_from_cacert(paths.IPA_CA_CRT)
        if pwdconf:
            self.create_password_conf()
        reqid = certmonger.request_cert(nssdb=self.secdir,
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -1252,6 +1252,7 @@ class DsInstance(service.Service):
        subject = self.subject_base or DN(('O', self.realm))
        nssdb_dir = config_dirname(self.serverid)
        db = certs.CertDB(self.realm, nssdir=nssdb_dir, subject_base=subject)
+        db.create_from_cacert(paths.IPA_CA_CRT)
        db.request_service_cert(self.nickname, self.principal, self.fqdn)
        db.create_pin_file()