IPA client removes previously places CA certificates on setup failure.
supplied certs are removed
supplied certs not placed by ipa-client-install should be left alone
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed freeipa-client-4.6.1-3.fc27.x86_64 package ipa-server is not installed package ipa-client is not installed package 389-ds-base is not installed package pki-ca is not installed package krb5-server is not installed
crt file is provided by aonther packagte to aid IdM client registration
This is due to as #ipa-client-install command fails. ipa-client-install --uninstall is called by itself and it cleans
#ipa-client-install
ipa-client-install --uninstall
./ipaplatform/base/paths.py IPA_CA_CRT = "/etc/ipa/ca.crt" ./ipaclient/install/client.py remove_file(paths.IPA_CA_CRT)
./ipaplatform/base/paths.py
remove_file(paths.IPA_CA_CRT)
This is but obvious.
A workaround would be to not supply the cert in /etc/ipa/ca.crt but in some other location instead.
We should keep state of the source of the CA certificate in sysrestore. We should already know the what it is. If the source is file then don't remove it at uninstall or rollback.
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.8
Closed https://pagure.io/freeipa/issue/7388 as a duplicate.
Login to comment on this ticket.