This ticket was inspired by an IRC conversation with user 'rizonz' on #freeipa IRC channel.
His replacement of IPA CA issued HTTPD server cert by a 3rd party one failed in later stages of the operation, leaving the IPA master in broken state: the new certificate chain was not imported to NSS DB due to error, but the old Server-Cert was already deleted. A manual intervention was required to restore the functionality.
ipa-server-certinstall should be able to roll-back to a working PKI if the later steps of certificate replacement fail for whathever reason. This would improve user experience as the respective service would remain working also after a failed operation.
Metadata Update from @mbabinsk:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue close_status updated to: None
- Issue set to the milestone: Future Releases (was: 0.0 NEEDS_TRIAGE)
to comment on this ticket.