#6672 [RFE] failed ipa-server-certinstall should be able to roll back to a working PKI setup
Opened 3 years ago by mbabinsk. Modified 3 years ago

This ticket was inspired by an IRC conversation with user 'rizonz' on #freeipa IRC channel.

His replacement of IPA CA issued HTTPD server cert by a 3rd party one failed in later stages of the operation, leaving the IPA master in broken state: the new certificate chain was not imported to NSS DB due to error, but the old Server-Cert was already deleted. A manual intervention was required to restore the functionality.

ipa-server-certinstall should be able to roll-back to a working PKI if the later steps of certificate replacement fail for whathever reason. This would improve user experience as the respective service would remain working also after a failed operation.

Metadata Update from @mbabinsk:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

3 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue close_status updated to: None
- Issue set to the milestone: Future Releases (was: 0.0 NEEDS_TRIAGE)

3 years ago

Login to comment on this ticket.