As a part of the procedure of deleting a service or host entry, any certificates issued for them are revoked.
The function that revokes the certificate (located in service plugin module) is not aware of Sub CAs and calls cert-show without cacn option. This causes a fail because the cert-show will assume the ipa CA for a certificate signed by a Sub CA.
This causes an error during certificate revocation that aborts the delete operation.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1370519
Metadata Update from @mkubik:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.4.2
to comment on this ticket.