This ticket was inspired by an IRC conversation with user 'rizonz' on #freeipa IRC channel.
His replacement of IPA CA issued HTTPD server cert by a 3rd party one failed in later stages of the operation, leaving the IPA master in broken state: the new certificate chain was not imported to NSS DB due to error, but the old Server-Cert was already deleted. A manual intervention was required to restore the functionality.
ipa-server-certinstall should be able to roll-back to a working PKI if the later steps of certificate replacement fail for whathever reason. This would improve user experience as the respective service would remain working also after a failed operation.
Metadata Update from @mbabinsk: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @pvoborni: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue close_status updated to: None - Issue set to the milestone: Future Releases (was: 0.0 NEEDS_TRIAGE)
Login to comment on this ticket.