[Freeipa-devel] [freeipa PR#684][opened] httpinstance: make sure NSS database is backed up

Mon, 03 Apr 2017 04:02:03 -0700 

   URL: https://github.com/freeipa/freeipa/pull/684
Author: HonzaCholasta
 Title: #684: httpinstance: make sure NSS database is backed up
Action: opened

PR body:
"""
The NSS database at /etc/httpd/alias is not properly initialized and backed
up in CA-less replica promotion. This might cause the install to fail after
previous install and uninstall.

Make sure the NSS database is initialized and backed up even in CA-less
replica promotion to fix the issue.

https://pagure.io/freeipa/issue/4639
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/684/head:pr684
git checkout pr684

From 29f4c9c290c814f12cf075b51f984ddb02d1199d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 3 Apr 2017 10:49:26 +0000
Subject: [PATCH] httpinstance: make sure NSS database is backed up

The NSS database at /etc/httpd/alias is not properly initialized and backed
up in CA-less replica promotion. This might cause the install to fail after
previous install and uninstall.

Make sure the NSS database is initialized and backed up even in CA-less
replica promotion to fix the issue.

https://pagure.io/freeipa/issue/4639
---
 ipaserver/install/httpinstance.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 01b55e7..79cd218 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -373,10 +373,11 @@ def disable_system_trust(self):
         return False
 
     def __setup_ssl(self):
+        truncate = not self.promote or not self.ca_is_configured
         db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
                           subject_base=self.subject_base, user="root",
                           group=constants.HTTPD_GROUP,
-                          truncate=(not self.promote))
+                          truncate=truncate)
         self.disable_system_trust()
         if self.pkcs12_info:
             if self.ca_is_configured:

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to