Separate RA cert store from the HTTP cert store

This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/secrets/store.py

@@ -46,7 +46,7 @@ def PKI_TOMCAT_password_callback():
 
 
 def HTTPD_password_callback():
-    with open(paths.ALIAS_PWDFILE_TXT) as f:
+    with open(os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt')) as f:
         password = f.read()
     return password
 
@@ -206,7 +206,7 @@ NAME_DB_MAP = {
     },
     'ra': {
         'type': 'NSSDB',
-        'path': paths.HTTPD_ALIAS_DIR,
+        'path': paths.IPA_RADB_DIR,
         'handler': NSSCertDB,
         'pwcallback': HTTPD_password_callback,
     },