certs: Fix incorrect flag handling in load_cacert

For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make it a required
argument.

https://fedorahosted.org/freeipa/ticket/4779

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/install/certs.py

@@ -238,7 +238,7 @@ class CertDB(object):
                          "-k", self.passwd_fname])
             self.set_perms(self.pk12_fname)
 
-    def load_cacert(self, cacert_fname, trust_flags='C,,'):
+    def load_cacert(self, cacert_fname, trust_flags):
         """
         Load all the certificates from a given file. It is assumed that
         this file creates CA certificates.
@@ -255,11 +255,9 @@ class CertDB(object):
                 (rdn, subject_dn) = get_cert_nickname(cert)
                 if subject_dn == ca_dn:
                     nick = get_ca_nickname(self.realm)
-                    tf = trust_flags
                 else:
                     nick = str(subject_dn)
-                    tf = ',,'
-                self.nssdb.add_cert(cert, nick, tf, pem=True)
+                self.nssdb.add_cert(cert, nick, trust_flags, pem=True)
             except RuntimeError:
                 break
 

ipaserver/install/dsinstance.py

@@ -840,7 +840,7 @@ class DsInstance(service.Service):
         certdb.cacert_name = cacert_name
         status = True
         try:
-            certdb.load_cacert(cacert_fname)
+            certdb.load_cacert(cacert_fname, 'C,,')
         except ipautil.CalledProcessError, e:
             root_logger.critical("Error importing CA cert file named [%s]: %s" %
                                          (cacert_fname, str(e)))