From 8e36e030910a4a6ec5ddb37cc19824f37b25ab51 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 1 Nov 2016 14:02:27 +0100 Subject: [PATCH] certs: do not re-create NSS database when requesting service cert `CertDB.request_service_cert` could re-create NSSDB files if the supplied CA certificate was not found in database. This could cause subtle bugs since the files were recreated with wrong permissions. This behavior was removed so that there are no destructive operations performed by the method. https://fedorahosted.org/freeipa/ticket/6429 Reviewed-By: Stanislav Laznicka --- ipaserver/install/certs.py | 1 - ipaserver/install/dsinstance.py | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 9f7cad85a..852bcec82 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -645,7 +645,6 @@ class CertDB(object): return self.nssdb.export_pem_cert(nickname, location) def request_service_cert(self, nickname, principal, host, pwdconf=False): - self.create_from_cacert(paths.IPA_CA_CRT) if pwdconf: self.create_password_conf() reqid = certmonger.request_cert(nssdb=self.secdir, diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index a7d1b6474..7d283d0d8 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -1252,6 +1252,7 @@ class DsInstance(service.Service): subject = self.subject_base or DN(('O', self.realm)) nssdb_dir = config_dirname(self.serverid) db = certs.CertDB(self.realm, nssdir=nssdb_dir, subject_base=subject) + db.create_from_cacert(paths.IPA_CA_CRT) db.request_service_cert(self.nickname, self.principal, self.fqdn) db.create_pin_file()