Always use /etc/ipa/ca.crt as CA cert file

It seem like ALIAS_CACERT_ASC was just a redundant location for the CA
cert file which is always available in /etc/ipa/ca.crt

Just use the canonical CA cert location in /etc/ipa for all cases and
stop creating a separate cacert file.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaplatform/base/paths.py

@@ -40,7 +40,6 @@ class BasePathNamespace(object):
     ETC_HTTPD_DIR = "/etc/httpd"
     HTTPD_ALIAS_DIR = "/etc/httpd/alias"
     IPA_RADB_DIR = "/var/lib/ipa/radb"
-    ALIAS_CACERT_ASC = "/var/lib/ipa/radb/cacert.asc"
     HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
     HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
     HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/httpd/conf.d/ipa-kdc-proxy.conf"

ipaserver/install/certs.py

@@ -217,12 +217,12 @@ class CertDB(object):
 
         return False
 
-    def export_ca_cert(self, nickname, create_pkcs12=False,
-                       cacert_fname=paths.ALIAS_CACERT_ASC):
+    def export_ca_cert(self, nickname, create_pkcs12=False):
         """create_pkcs12 tells us whether we should create a PKCS#12 file
            of the CA or not. If we are running on a replica then we won't
            have the private key to make a PKCS#12 file so we don't need to
            do that step."""
+        cacert_fname = paths.IPA_CA_CRT
         # export the CA cert for use with other apps
         ipautil.backup_file(cacert_fname)
         root_nicknames = self.find_root_cert(nickname)[:-1]
@@ -533,8 +533,8 @@ class CertDB(object):
                      "-in", pem_fname, "-out", pkcs12_fname,
                      "-passout", "file:" + pkcs12_pwd_fname])
 
-    def create_from_cacert(self, cacert_fname=paths.ALIAS_CACERT_ASC,
-                           passwd=None):
+    def create_from_cacert(self):
+        cacert_fname = paths.IPA_CA_CRT
         if ipautil.file_exists(self.certdb_fname):
             # We already have a cert db, see if it is for the same CA.
             # If it is we leave things as they are.
@@ -553,7 +553,7 @@ class CertDB(object):
 
         # The CA certificates are different or something went wrong. Start with
         # a new certificate database.
-        self.create_passwd_file(passwd)
+        self.create_passwd_file()
         self.create_certdbs()
         self.load_cacert(cacert_fname, 'CT,C,C')
 

ipaserver/install/dsinstance.py

@@ -810,10 +810,6 @@ class DsInstance(service.Service):
                     self.nickname, self.principal, dsdb.passwd_fname,
                     'restart_dirsrv %s' % self.serverid)
         else:
-            cadb = certs.CertDB(self.realm, host_name=self.fqdn, subject_base=self.subject_base)
-
-            # FIXME, need to set this nickname in the RA plugin
-            cadb.export_ca_cert('ipaCert', False)
             dsdb.create_from_cacert()
             ca_args = ['/usr/libexec/certmonger/dogtag-submit',
                        '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
@@ -1241,7 +1237,7 @@ class DsInstance(service.Service):
             subject_base=self.subject_base,
             ca_subject=self.ca_subject,
         )
-        db.create_from_cacert(paths.IPA_CA_CRT)
+        db.create_from_cacert()
         db.request_service_cert(self.nickname, self.principal, self.fqdn)
         db.create_pin_file()
 

ipaserver/install/server/upgrade.py

@@ -185,7 +185,7 @@ def check_certs():
     """Check ca.crt is in the right place, and try to fix if not"""
     root_logger.info('[Verifying that root certificate is published]')
     if not os.path.exists(paths.CA_CRT):
-        ca_file = paths.ALIAS_CACERT_ASC
+        ca_file = paths.IPA_CA_CRT
         if os.path.exists(ca_file):
             old_umask = os.umask(0o22)   # make sure its readable by httpd
             try: