Move HTTPD cert/key pair to /var/lib/ipa/certs

This moves the HTTPD certificates from their default location
to IPA-specific one. This should be especially helpful from
the container perspective.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

freeipa.spec.in

@@ -1461,6 +1461,7 @@ fi
 %attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
+%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
 %ghost %{_localstatedir}/lib/ipa/pki-ca/publish
 %ghost %{_localstatedir}/named/dyndb-ldap/ipa
 %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia

install/Makefile.am

@@ -24,10 +24,12 @@ install-exec-local:
 	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
 	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
 	$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
+	$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa/certs
 
 uninstall-local:
 	-rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
 	-rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
+	-rmdir $(DESTDIR)$(localstatedir)/lib/ipa/certs
 	-rmdir $(DESTDIR)$(localstatedir)/lib/ipa
 
 EXTRA_DIST = README.schema

ipaplatform/base/paths.py

@@ -51,8 +51,8 @@ class BasePathNamespace(object):
     HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
     HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
     HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
-    HTTPD_CERT_FILE = "/etc/pki/tls/certs/httpd.crt"
+    HTTPD_CERT_FILE = "/var/lib/ipa/certs/httpd.crt"
-    HTTPD_KEY_FILE = "/etc/pki/tls/private/httpd.key"
+    HTTPD_KEY_FILE = "/var/lib/ipa/certs/httpd.key"
     # only used on Fedora
     HTTPD_IPA_WSGI_MODULES_CONF = None
     OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"