Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations

It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.

Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.

https://pagure.io/freeipa/issue/8441

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ipaserver/install/certs.py

@@ -322,7 +322,7 @@ class CertDB:
         ipautil.backup_file(cacert_fname)
         root_nicknames = self.find_root_cert(nickname)[:-1]
         with open(cacert_fname, "w") as f:
-            os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+            os.fchmod(f.fileno(), 0o644)
             for root in root_nicknames:
                 result = self.run_certutil(["-L", "-n", root, "-a"],
                                            capture_output=True)

ipaserver/install/server/install.py

@@ -904,9 +904,8 @@ def install(installer):
 
         ca.install_step_0(False, None, options, custodia=custodia)
     else:
-        # Put the CA cert where other instances expect it
+        # /etc/ipa/ca.crt is created as a side-effect of
-        x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
+        # dsinstance::enable_ssl() via export_ca_cert()
-        os.chmod(paths.IPA_CA_CRT, 0o444)
 
         if not options.no_pkinit:
             x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)