Separate RA cert store from the HTTP cert store

This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/install/ca.py

@@ -265,7 +265,7 @@ def install_step_0(standalone, replica_config, options):
         'certmap.conf', 'subject_base', str(subject_base))
     dsinstance.write_certmap_conf(realm_name, ca_subject)
 
-    ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
+    ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR,
                                host_name=host_name)
     ca.configure_instance(host_name, dm_password, dm_password,
                           subject_base=subject_base,
@@ -293,7 +293,8 @@ def install_step_1(standalone, replica_config, options):
     subject_base = options._subject_base
     basedn = ipautil.realm_to_suffix(realm_name)
 
-    ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, host_name=host_name)
+    ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR,
+                               host_name=host_name)
 
     ca.stop('pki-tomcat')
 
@@ -355,8 +356,7 @@ def install_step_1(standalone, replica_config, options):
 
 
 def uninstall():
-    ca_instance = cainstance.CAInstance(
-        api.env.realm, certs.NSS_DIR)
+    ca_instance = cainstance.CAInstance(api.env.realm, paths.IPA_RADB_DIR)
     ca_instance.stop_tracking_certificates()
     if ca_instance.is_configured():
         ca_instance.uninstall()

ipaserver/install/cainstance.py

@@ -656,7 +656,7 @@ class CAInstance(DogtagInstance):
 
         Used when setting up replication
         """
-        # Add the new RA cert to the database in /etc/httpd/alias
+        # Add the new RA cert into the RA database
         with tempfile.NamedTemporaryFile(mode="w") as agent_file:
             agent_file.write(self.dm_password)
             agent_file.flush()
@@ -970,16 +970,6 @@ class CAInstance(DogtagInstance):
                 self.log.warning("Error while removing CRL publish "
                                     "directory: %s", e)
 
-    def publish_ca_cert(self, location):
-        args = ["-L", "-n", self.canickname, "-a"]
-        result = self.__run_certutil(
-            args, capture_output=True)
-        cert = result.output
-        fd = open(location, "w+")
-        fd.write(cert)
-        fd.close()
-        os.chmod(location, 0o444)
-
     def unconfigure_certmonger_renewal_guard(self):
         if not self.is_configured():
             return
@@ -1004,8 +994,8 @@ class CAInstance(DogtagInstance):
                 ca='dogtag-ipa-ca-renew-agent',
                 nickname='ipaCert',
                 pin=None,
-                pinfile=paths.ALIAS_PWDFILE_TXT,
-                secdir=paths.HTTPD_ALIAS_DIR,
+                pinfile=os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'),
+                secdir=paths.IPA_RADB_DIR,
                 pre_command='renew_ra_cert_pre',
                 post_command='renew_ra_cert')
         except RuntimeError as e:
@@ -1024,7 +1014,7 @@ class CAInstance(DogtagInstance):
                 certmonger.stop_tracking(self.nss_db, nickname=nickname)
 
         try:
-            certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname='ipaCert')
+            certmonger.stop_tracking(paths.IPA_RADB_DIR, nickname='ipaCert')
         except RuntimeError as e:
             root_logger.error(
                 "certmonger failed to stop tracking certificate: %s", e)

ipaserver/install/certs.py

@@ -41,13 +41,8 @@ from ipapython.dn import DN
 from ipalib import pkcs10, x509, api
 from ipalib.errors import CertificateOperationError
 from ipalib.text import _
-from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 
-# Apache needs access to this database so we need to create it
-# where apache can reach
-NSS_DIR = paths.HTTPD_ALIAS_DIR
-
 
 def get_cert_nickname(cert):
     """
@@ -80,9 +75,8 @@ class CertDB(object):
 
     """
     # TODO: Remove all selfsign code
-    def __init__(
-            self, realm, nssdir=NSS_DIR, fstore=None, host_name=None,
-            subject_base=None, ca_subject=None):
+    def __init__(self, realm, nssdir=paths.IPA_RADB_DIR, fstore=None,
+                 host_name=None, subject_base=None, ca_subject=None):
         self.nssdb = NSSDatabase(nssdir)
 
         self.secdir = nssdir
@@ -93,10 +87,8 @@ class CertDB(object):
         self.certdb_fname = self.secdir + "/cert8.db"
         self.keydb_fname = self.secdir + "/key3.db"
         self.secmod_fname = self.secdir + "/secmod.db"
-        self.cacert_fname = self.secdir + "/cacert.asc"
         self.pk12_fname = self.secdir + "/cacert.p12"
         self.pin_fname = self.secdir + "/pin.txt"
-        self.pwd_conf = paths.HTTPD_PASSWORD_CONF
         self.reqdir = None
         self.certreq_fname = None
         self.certder_fname = None
@@ -222,21 +214,22 @@ class CertDB(object):
 
         return False
 
-    def export_ca_cert(self, nickname, create_pkcs12=False):
+    def export_ca_cert(self, nickname, create_pkcs12=False,
+                       cacert_fname=paths.ALIAS_CACERT_ASC):
         """create_pkcs12 tells us whether we should create a PKCS#12 file
            of the CA or not. If we are running on a replica then we won't
            have the private key to make a PKCS#12 file so we don't need to
            do that step."""
         # export the CA cert for use with other apps
-        ipautil.backup_file(self.cacert_fname)
+        ipautil.backup_file(cacert_fname)
         root_nicknames = self.find_root_cert(nickname)[:-1]
-        fd = open(self.cacert_fname, "w")
+        fd = open(cacert_fname, "w")
         for root in root_nicknames:
             result = self.run_certutil(["-L", "-n", root, "-a"],
                                        capture_output=True)
             fd.write(result.output)
         fd.close()
-        os.chmod(self.cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+        os.chmod(cacert_fname, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
         if create_pkcs12:
             ipautil.backup_file(self.pk12_fname)
             ipautil.run([paths.PK12UTIL, "-d", self.secdir,
@@ -494,19 +487,6 @@ class CertDB(object):
         pwdfile.close()
         self.set_perms(self.pin_fname)
 
-    def create_password_conf(self):
-        """
-        This is the format of mod_nss pin files.
-        """
-        ipautil.backup_file(self.pwd_conf)
-        f = open(self.pwd_conf, "w")
-        f.write("internal:")
-        pwdfile = open(self.passwd_fname)
-        f.write(pwdfile.read())
-        f.close()
-        pwdfile.close()
-        self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
-
     def find_root_cert(self, nickname):
         """
         Given a nickname, return a list of the certificates that make up
@@ -550,7 +530,8 @@ class CertDB(object):
                      "-in", pem_fname, "-out", pkcs12_fname,
                      "-passout", "file:" + pkcs12_pwd_fname])
 
-    def create_from_cacert(self, cacert_fname, passwd=None):
+    def create_from_cacert(self, cacert_fname=paths.ALIAS_CACERT_ASC,
+                           passwd=None):
         if ipautil.file_exists(self.certdb_fname):
             # We already have a cert db, see if it is for the same CA.
             # If it is we leave things as they are.
@@ -646,15 +627,12 @@ class CertDB(object):
                      "-passin", "file:" + pwd.name])
 
     def publish_ca_cert(self, location):
-        shutil.copy(self.cacert_fname, location)
-        os.chmod(location, 0o444)
+        self.nssdb.publish_ca_cert(self.cacert_name, location)
 
     def export_pem_cert(self, nickname, location):
         return self.nssdb.export_pem_cert(nickname, location)
 
-    def request_service_cert(self, nickname, principal, host, pwdconf=False):
-        if pwdconf:
-            self.create_password_conf()
+    def request_service_cert(self, nickname, principal, host):
         certmonger.request_and_wait_for_cert(certpath=self.secdir,
                                              nickname=nickname,
                                              principal=principal,

ipaserver/install/dogtaginstance.py

@@ -77,12 +77,12 @@ def export_kra_agent_pem():
     """
     Export ipaCert with private key for client authentication.
     """
-    fd, filename = tempfile.mkstemp(dir=paths.HTTPD_ALIAS_DIR)
+    fd, filename = tempfile.mkstemp(dir=paths.IPA_RADB_DIR)
     os.close(fd)
 
     args = ["/usr/bin/pki",
-            "-d", paths.HTTPD_ALIAS_DIR,
-            "-C", paths.ALIAS_PWDFILE_TXT,
+            "-d", paths.IPA_RADB_DIR,
+            "-C", os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'),
             "client-cert-show", "ipaCert",
             "--client-cert", filename]
     ipautil.run(args)

ipaserver/install/dsinstance.py

@@ -814,12 +814,13 @@ class DsInstance(service.Service):
 
             # FIXME, need to set this nickname in the RA plugin
             cadb.export_ca_cert('ipaCert', False)
-            dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
+            dsdb.create_from_cacert()
             ca_args = ['/usr/libexec/certmonger/dogtag-submit',
                        '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
-                       '--dbdir', paths.HTTPD_ALIAS_DIR,
+                       '--dbdir', paths.IPA_RADB_DIR,
                        '--nickname', 'ipaCert',
-                       '--sslpinfile', paths.ALIAS_PWDFILE_TXT,
+                       '--sslpinfile', os.path.join(paths.IPA_RADB_DIR,
+                                                    'pwdfile.txt'),
                        '--agent-submit']
             helper = " ".join(ca_args)
             prev_helper = certmonger.modify_ca_helper('IPA', helper)

ipaserver/install/httpinstance.py

@@ -19,7 +19,6 @@
 
 from __future__ import print_function
 
-import io
 import os
 import os.path
 import pwd
@@ -35,6 +34,7 @@ from ipalib.install import certmonger
 from ipaserver.install import service
 from ipaserver.install import certs
 from ipaserver.install import installutils
+from ipapython import certdb
 from ipapython import dogtag
 from ipapython import ipautil
 from ipapython.dn import DN
@@ -70,8 +70,6 @@ NSS_CIPHER_SUITE = [
 ]
 NSS_CIPHER_REVISION = '20160129'
 
-NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
-
 
 def httpd_443_configured():
     """
@@ -176,7 +174,6 @@ class HTTPInstance(service.Service):
             self.step("configure certmonger for renewals",
                       self.configure_certmonger_renewal_guard)
         self.step("importing CA certificates from LDAP", self.__import_ca_certs)
-        self.step("publish CA cert", self.__publish_ca_cert)
         self.step("clean up any existing httpd ccaches",
                   self.remove_httpd_ccaches)
         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
@@ -316,31 +313,12 @@ class HTTPInstance(service.Service):
             if certmonger_stopped:
                 certmonger.stop()
 
-    def create_cert_db(self):
-        database = certs.NSS_DIR
-        pwd_file = os.path.join(database, 'pwdfile.txt')
-
-        for p in NSS_FILES:
-            nss_path = os.path.join(database, p)
-            ipautil.backup_file(nss_path)
-
-        # Create the password file for this db
-        password = ipautil.ipa_generate_password()
-        with io.open(pwd_file, 'w') as f:
-            f.write(password)
-
-        ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
-
-        self.fix_cert_db_perms()
-
-    def fix_cert_db_perms(self):
-        pent = pwd.getpwnam(self.service_user)
-
-        for filename in NSS_FILES:
-            nss_path = os.path.join(certs.NSS_DIR, filename)
-            os.chmod(nss_path, 0o640)
-            os.chown(nss_path, 0, pent.pw_gid)
-            tasks.restore_context(nss_path)
+    def create_cert_dbs(self):
+        nssdb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
+        nssdb.create_db(user="root", group=constants.HTTPD_GROUP, backup=True)
+        nssdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
+        nssdb.create_db(user=constants.HTTPD_USER, group=constants.HTTPD_GROUP,
+                        mode=0o751, backup=True)
 
     def request_anon_keytab(self):
         parent = os.path.dirname(paths.ANON_KEYTAB)
@@ -353,8 +331,26 @@ class HTTPInstance(service.Service):
         os.chown(parent, pent.pw_uid, pent.pw_gid)
         os.chown(paths.ANON_KEYTAB, pent.pw_uid, pent.pw_gid)
 
+    def create_password_conf(self):
+        """
+        This is the format of mod_nss pin files.
+        """
+        pwd_conf = paths.HTTPD_PASSWORD_CONF
+
+        ipautil.backup_file(pwd_conf)
+        f = open(pwd_conf, "w")
+        f.write("internal:")
+        pwdfile = open(os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt'))
+        f.write(pwdfile.read())
+        f.close()
+        pwdfile.close()
+        pent = pwd.getpwnam(constants.HTTPD_USER)
+        os.chown(pwd_conf, pent.pw_uid, pent.pw_gid)
+        os.chmod(pwd_conf, 0o400)
+
     def __setup_ssl(self):
-        db = certs.CertDB(self.realm, subject_base=self.subject_base)
+        db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
+                          subject_base=self.subject_base)
         if self.pkcs12_info:
             if self.ca_is_configured:
                 trust_flags = 'CT,C,C'
@@ -367,7 +363,7 @@ class HTTPInstance(service.Service):
             if len(server_certs) == 0:
                 raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
 
-            db.create_password_conf()
+            self.create_password_conf()
 
             # We only handle one server cert
             nickname = server_certs[0][0]
@@ -383,13 +379,14 @@ class HTTPInstance(service.Service):
 
         else:
             if not self.promote:
-                db.create_password_conf()
+                self.create_password_conf()
                 ca_args = [
                     '/usr/libexec/certmonger/dogtag-submit',
                     '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
-                    '--dbdir', paths.HTTPD_ALIAS_DIR,
+                    '--dbdir', paths.IPA_RADB_DIR,
                     '--nickname', 'ipaCert',
-                    '--sslpinfile', paths.ALIAS_PWDFILE_TXT,
+                    '--sslpinfile', os.path.join(paths.IPA_RADB_DIR,
+                                                 'pwdfile.txt'),
                     '--agent-submit'
                     ]
                 helper = " ".join(ca_args)
@@ -413,21 +410,19 @@ class HTTPInstance(service.Service):
 
                 self.add_cert_to_service()
 
+            # Verify we have a valid server cert
             server_certs = db.find_server_certs()
             if not server_certs:
                 raise RuntimeError("Could not find a suitable server cert.")
 
-            # We only handle one server cert
-            nickname = server_certs[0][0]
-            db.export_ca_cert(nickname)
-
     def __import_ca_certs(self):
+        # first for the RA DB
         db = certs.CertDB(self.realm, subject_base=self.subject_base)
         self.import_ca_certs(db, self.ca_is_configured)
-
-    def __publish_ca_cert(self):
-        ca_db = certs.CertDB(self.realm)
-        ca_db.publish_ca_cert(paths.CA_CRT)
+        # and then also for the HTTPD DB
+        db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
+                          subject_base=self.subject_base)
+        self.import_ca_certs(db, self.ca_is_configured)
 
     def is_kdcproxy_configured(self):
         """Check if KDC proxy has already been configured in the past"""
@@ -574,10 +569,10 @@ class HTTPInstance(service.Service):
             self.enable()
 
     def stop_tracking_certificates(self):
-        db = certs.CertDB(api.env.realm)
+        db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
         db.untrack_server_cert(self.cert_nickname)
 
     def start_tracking_certificates(self):
-        db = certs.CertDB(self.realm)
+        db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR)
         db.track_server_cert(self.cert_nickname, self.principal,
                              db.passwd_fname, 'restart_httpd')

ipaserver/install/ipa_backup.py

@@ -103,20 +103,21 @@ class Backup(admintool.AdminTool):
     description = "Back up IPA files and databases."
 
     dirs = (paths.IPA_HTML_DIR,
-        paths.ROOT_PKI,
-        paths.PKI_TOMCAT,
-        paths.SYSCONFIG_PKI,
-        paths.HTTPD_ALIAS_DIR,
-        paths.VAR_LIB_PKI_DIR,
-        paths.SYSRESTORE,
-        paths.IPA_CLIENT_SYSRESTORE,
-        paths.IPA_DNSSEC_DIR,
-        paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR,
-        paths.AUTHCONFIG_LAST,
-        paths.VAR_LIB_CERTMONGER_DIR,
-        paths.VAR_LIB_IPA,
-        paths.VAR_RUN_DIRSRV_DIR,
-        paths.DIRSRV_LOCK_DIR,
+            paths.ROOT_PKI,
+            paths.PKI_TOMCAT,
+            paths.SYSCONFIG_PKI,
+            paths.HTTPD_ALIAS_DIR,
+            paths.IPA_RADB_DIR,
+            paths.VAR_LIB_PKI_DIR,
+            paths.SYSRESTORE,
+            paths.IPA_CLIENT_SYSRESTORE,
+            paths.IPA_DNSSEC_DIR,
+            paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR,
+            paths.AUTHCONFIG_LAST,
+            paths.VAR_LIB_CERTMONGER_DIR,
+            paths.VAR_LIB_IPA,
+            paths.VAR_RUN_DIRSRV_DIR,
+            paths.DIRSRV_LOCK_DIR,
     )
 
     files = (

ipaserver/install/ipa_cacert_manage.py

@@ -131,7 +131,7 @@ class CACertManage(admintool.AdminTool):
         api.Backend.ldap2.connect(bind_pw=password)
 
     def renew(self):
-        ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+        ca = cainstance.CAInstance(api.env.realm)
         if not ca.is_configured():
             raise admintool.ScriptError("CA is not configured on this system")
 

ipaserver/install/ipa_replica_prepare.py

@@ -603,7 +603,7 @@ class ReplicaPrepare(admintool.AdminTool):
             ca_db = certs.CertDB(
                 api.env.realm, host_name=api.env.host,
                 subject_base=subject_base)
-            db.create_from_cacert(ca_db.cacert_fname)
+            db.create_from_cacert()
             db.create_server_cert(nickname, hostname, ca_db)
 
             pkcs12_fname = os.path.join(self.dir, fname + ".p12")

ipaserver/install/ipa_server_certinstall.py

@@ -131,7 +131,7 @@ class ServerCertInstall(admintool.AdminTool):
             pass
 
     def install_http_cert(self):
-        dirname = certs.NSS_DIR
+        dirname = paths.HTTPD_ALIAS_DIR
 
         old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
                                               'NSSNickname')

ipaserver/install/krainstance.py

@@ -33,7 +33,6 @@ from ipaplatform.paths import paths
 from ipapython import certdb
 from ipapython import ipautil
 from ipapython.dn import DN
-from ipaserver.install import certs
 from ipaserver.install import cainstance
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
@@ -107,7 +106,7 @@ class KRAInstance(DogtagInstance):
                 raise RuntimeError(
                     "KRA already installed.")
             # Confirm that a Dogtag 10 CA instance already exists
-            ca = cainstance.CAInstance(self.realm, certs.NSS_DIR)
+            ca = cainstance.CAInstance(self.realm)
             if not ca.is_installed():
                 raise RuntimeError(
                     "KRA configuration failed.  "
@@ -292,7 +291,7 @@ class KRAInstance(DogtagInstance):
         """
 
         # get ipaCert certificate
-        with certdb.NSSDatabase(paths.HTTPD_ALIAS_DIR) as ipa_nssdb:
+        with certdb.NSSDatabase(paths.IPA_RADB_DIR) as ipa_nssdb:
            cert_data = ipa_nssdb.get_cert("ipaCert")
         cert = x509.load_certificate(cert_data, x509.DER)
 

ipaserver/install/plugins/ca_renewal_master.py

@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ipaserver.install import installutils, certs, cainstance
+from ipaserver.install import installutils, cainstance
 from ipalib import errors
 from ipalib import Updater
 from ipalib.install import certmonger
@@ -34,7 +34,7 @@ class update_ca_renewal_master(Updater):
     """
 
     def execute(self, **options):
-        ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
+        ca = cainstance.CAInstance(self.api.env.realm)
         if not ca.is_configured():
             self.debug("CA is not configured on this host")
             return False, []
@@ -74,7 +74,7 @@ class update_ca_renewal_master(Updater):
                 return False, []
 
         criteria = {
-            'cert-database': paths.HTTPD_ALIAS_DIR,
+            'cert-database': paths.IPA_RADB_DIR,
             'cert-nickname': 'ipaCert',
         }
         request_id = certmonger.get_request_id(criteria)

ipaserver/install/plugins/update_ca_topology.py

@@ -6,7 +6,7 @@ from ipalib import errors
 from ipalib import Registry
 from ipalib import Updater
 from ipapython.dn import DN
-from ipaserver.install import certs, cainstance
+from ipaserver.install import cainstance
 from ipaserver.install import ldapupdate
 from ipaplatform.paths import paths
 
@@ -21,7 +21,7 @@ class update_ca_topology(Updater):
 
     def execute(self, **options):
 
-        ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
+        ca = cainstance.CAInstance(self.api.env.realm)
         if not ca.is_configured():
             self.log.debug("CA is not configured on this host")
             return False, []

ipaserver/install/plugins/update_ra_cert_store.py

@@ -0,0 +1,76 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import binascii
+import os
+
+from ipalib import Registry
+from ipalib import Updater
+from ipalib.install import certmonger
+from ipaplatform.constants import constants
+from ipaplatform.paths import paths
+from ipapython import certdb
+
+register = Registry()
+
+
+@register()
+class update_ra_cert_store(Updater):
+    """
+    Moves the cert store from /etc/httpd/alias to /var/lib/ipa/radb
+    """
+
+    def execute(self, **options):
+        olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
+        if not olddb.has_nickname('ipaCert'):
+            # Nothign to do
+            return False, []
+
+        newdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
+        if os.path.exists(paths.IPA_RADB_DIR):
+            if newdb.has_nickname('ipaCert'):
+                self.log.warning(
+                    "An 'ipaCert' nickname exists in both the old {} and the "
+                    "new {} NSS Databases!".format(paths.HTTPD_ALIAS_DIR,
+                                                   paths.IPA_RADB_DIR))
+                return False, []
+        else:
+            # Create the DB
+            newdb.create_db(os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'),
+                            user=constants.HTTPD_USER,
+                            group=constants.HTTPD_GROUP,
+                            mode=0o751, backup=True)
+
+        # Import cert chain (ignore errors, as certs may already be imported)
+        certlist = olddb.list_certs()
+        certflags = {}
+        for name, flags in certlist:
+            certflags[name] = flags
+        for name in olddb.get_trust_chain('ipaCert'):
+            if name == 'ipaCert':
+                continue
+            try:
+                cert = olddb.get_cert(name, pem=True)
+                newdb.add_cert(cert, name, certflags[name], pem=True)
+            except Exception as e:  # pylint disable=broad-except
+                self.log.warning("Failed to import '{}' from trust "
+                                 "chain: {}".format(name, str(e)))
+
+        # As the last step export/import/delete the RA Cert
+        ipa_httpd_pwdfile = os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
+        ipa_radb_pwdfile = os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt')
+        pw = binascii.hexlify(os.urandom(10))
+        p12file = os.path.join(paths.IPA_RADB_DIR, 'ipaCert.p12')
+        olddb.export_pkcs12('ipaCert', p12file, ipa_httpd_pwdfile, pw)
+        newdb.import_pkcs12(p12file, ipa_radb_pwdfile, pw)
+
+        certmonger.stop_tracking(secdir=olddb.secdir,
+                                 nickname='ipaCert')
+        certmonger.start_tracking(secdir=newdb.secdir,
+                                  nickname='ipaCert',
+                                  password_file=ipa_radb_pwdfile)
+
+        olddb.delete_cert('ipaCert')
+
+        return False, []

ipaserver/install/server/install.py

@@ -31,7 +31,7 @@ from ipalib.util import (
 )
 import ipaclient.install.ntpconf
 from ipaserver.install import (
-    bindinstance, ca, cainstance, certs, dns, dsinstance,
+    bindinstance, ca, certs, dns, dsinstance,
     httpinstance, installutils, kra, krbinstance,
     ntpinstance, otpdinstance, custodiainstance, replication, service,
     sysupgrade)
@@ -712,8 +712,9 @@ def install(installer):
     # Make sure tmpfiles dir exist before installing components
     tasks.create_tmpfiles_dirs()
 
+    # create NSS Databases
     http_instance = httpinstance.HTTPInstance()
-    http_instance.create_cert_db()
+    http_instance.create_cert_dbs()
 
     # Create DS user/group if it doesn't exist yet
     dsinstance.create_ds_user()
@@ -778,8 +779,8 @@ def install(installer):
         ca.install_step_0(False, None, options)
 
         # Now put the CA cert where other instances exepct it
-        ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR)
-        ca_instance.publish_ca_cert(paths.IPA_CA_CRT)
+        ca_db = certs.CertDB(realm_name)
+        ca_db.publish_ca_cert(paths.IPA_CA_CRT)
     else:
         # Put the CA cert where other instances expect it
         x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
@@ -830,11 +831,6 @@ def install(installer):
             ca_is_configured=setup_ca)
     tasks.restore_context(paths.CACHE_IPA_SESSIONS)
 
-    # Export full CA chain
-    ca_db = certs.CertDB(realm_name)
-    os.chmod(paths.IPA_CA_CRT, 0o644)
-    ca_db.publish_ca_cert(paths.IPA_CA_CRT)
-
     ca.set_subject_base_in_config(options.subject_base)
 
     # Apply any LDAP updates. Needs to be done after the configuration file
@@ -1103,7 +1099,8 @@ def uninstall(installer):
     # Note that this name will be wrong after the first uninstall.
     dirname = dsinstance.config_dirname(
         installutils.realm_to_serverid(api.env.realm))
-    dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, certs.NSS_DIR]
+    dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR,
+            paths.IPA_RADB_DIR]
     ids = certmonger.check_state(dirs)
     if ids:
         root_logger.error('Some certificates may still be tracked by '

ipaserver/install/server/replicainstall.py

@@ -77,9 +77,12 @@ def make_pkcs12_info(directory, cert_name, password_name):
 def install_http_certs(host_name, realm_name, subject_base):
     principal = 'HTTP/%s@%s' % (host_name, realm_name)
     # Obtain certificate for the HTTP service
-    nssdir = certs.NSS_DIR
+    http = httpinstance.HTTPInstance()
+    http.create_password_conf()
+    nssdir = paths.HTTPD_ALIAS_DIR
+    subject = subject_base or DN(('O', realm_name))
     db = certs.CertDB(realm_name, nssdir=nssdir, subject_base=subject_base)
-    db.request_service_cert('Server-Cert', principal, host_name, True)
+    db.request_service_cert('Server-Cert', principal, host_name)
 
 
 def install_replica_ds(config, options, ca_is_configured, remote_api,
@@ -1332,9 +1335,9 @@ def install(installer):
 
     dsinstance.create_ds_user()
 
-    # create /etc/httpd/alias NSS Database
+    # create NSS Databases
     http_instance = httpinstance.HTTPInstance()
-    http_instance.create_cert_db()
+    http_instance.create_cert_dbs()
 
     try:
         conn.connect(ccache=ccache)

ipaserver/install/server/upgrade.py

@@ -919,7 +919,7 @@ def certificate_renewal_update(ca, ds, http):
             'ipaCACertRenewal',
         ),
         (
-            paths.HTTPD_ALIAS_DIR,
+            paths.IPA_RADB_DIR,
             'ipaCert',
             'dogtag-ipa-ca-renew-agent',
             template % 'renew_ra_cert_pre',
@@ -1374,7 +1374,7 @@ def fix_trust_flags():
         root_logger.info("CA is not enabled")
         return
 
-    db = certs.CertDB(api.env.realm)
+    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
     nickname = certdb.get_ca_nickname(api.env.realm)
     cert = db.get_cert_from_db(nickname)
     if cert:
@@ -1540,7 +1540,7 @@ def upgrade_configuration():
         sub_dict['SUBJECT_BASE'] = subject_base
 
     ca = cainstance.CAInstance(
-            api.env.realm, certs.NSS_DIR, host_name=api.env.host)
+            api.env.realm, paths.IPA_RADB_DIR, host_name=api.env.host)
     ca_running = ca.is_running()
 
     with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):