From 846b1c9b72f539cbe4b8d6e23de81e03b1afec9e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 09:32:17 +0100
Subject: [PATCH] certs: do not implicitly create DS pin.txt

Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/certs.py      | 1 -
 ipaserver/install/dsinstance.py | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 63e7887c4e73a8346d4eb5d865ddc89c07247573..9f340b8678c55cffe2872df97c643c34857cfaa9 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -635,7 +635,6 @@ class CertDB(object):
         self.cacert_name = ca_names[-1]
         self.trust_root_cert(self.cacert_name, trust_flags)
 
-        self.create_pin_file()
         self.export_ca_cert(nickname, False)
 
     def publish_ca_cert(self, location):
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 91cc180e62b9532e716c07c493b359567b20c749..79dc90e92cac49a2b64ff6645f75dc3a8cbcc104 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -838,7 +838,8 @@ class DsInstance(service.Service):
                 certmonger.modify_ca_helper('IPA', prev_helper)
 
             self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
-            dsdb.create_pin_file()
+
+        dsdb.create_pin_file()
 
         self.cacert_name = dsdb.cacert_name
 
-- 
2.12.1