From 846b1c9b72f539cbe4b8d6e23de81e03b1afec9e Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Tue, 14 Mar 2017 09:32:17 +0100

Subject: [PATCH] certs: do not implicitly create DS pin.txt

Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create

it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic

replica install.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 ipaserver/install/certs.py      | 1 -

 ipaserver/install/dsinstance.py | 3 ++-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py

index 63e7887c4e73a8346d4eb5d865ddc89c07247573..9f340b8678c55cffe2872df97c643c34857cfaa9 100644

--- a/ipaserver/install/certs.py

+++ b/ipaserver/install/certs.py

@@ -635,7 +635,6 @@ class CertDB(object):

         self.cacert_name = ca_names[-1]

         self.trust_root_cert(self.cacert_name, trust_flags)

-        self.create_pin_file()

         self.export_ca_cert(nickname, False)

     def publish_ca_cert(self, location):

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py

index 91cc180e62b9532e716c07c493b359567b20c749..79dc90e92cac49a2b64ff6645f75dc3a8cbcc104 100644

--- a/ipaserver/install/dsinstance.py

+++ b/ipaserver/install/dsinstance.py

@@ -838,7 +838,8 @@ class DsInstance(service.Service):

                 certmonger.modify_ca_helper('IPA', prev_helper)

             self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)

-            dsdb.create_pin_file()

+

+        dsdb.create_pin_file()

         self.cacert_name = dsdb.cacert_name

-- 

2.12.1