From 471dfcbe1cc3f319da788add3661cb6d63e3c0f0 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Apr 04 2017 08:21:50 +0000
Subject: httpinstance: make sure NSS database is backed up


The NSS database at /etc/httpd/alias is not properly initialized and backed
up in CA-less replica promotion. This might cause the install to fail after
previous install and uninstall.

Make sure the NSS database is initialized and backed up even in CA-less
replica promotion to fix the issue.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3e4252c..079ea92 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -375,10 +375,11 @@ class HTTPInstance(service.Service):
         return False
 
     def __setup_ssl(self):
+        truncate = not self.promote or not self.ca_is_configured
         db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
                           subject_base=self.subject_base, user="root",
                           group=constants.HTTPD_GROUP,
-                          truncate=(not self.promote))
+                          truncate=truncate)
         self.disable_system_trust()
         if self.pkcs12_info:
             if self.ca_is_configured: