When FreeIPA 4.2+ replica is being created out of older server (FreeIPA on RHEL-6 in the reported case), the default CA ACL rule is not being created as there is a worry that administrator deliberately deleted it and it would be added again during replica installation.
This however means, that services and hosts cannot request certificates after such upgrade via migration.
I expect majority of admins will be happy with the default rule as is, especially after migration from RHEL-6 to FreeIPA 4.2+. If admins really do not want it and click "delete", they should get error message like "This rule is managed by FreeIPA and cannot be deleted. Please disable it to make it ineffective".
That should give better migration experience while at the same time allowing admins disable the rule in rare cases.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283429
Metadata Update from @mkosek:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.2.4
to comment on this ticket.