During lightweight CA key replication, servers that possess a LWCA's signing key are added to a list in the Dogtag authority entry.
When uninstalling a replica, these attribute values are not cleaned up.
This should not result in operational problems - when attempting LWCA key replication, each listed server is tried in turn until they key is successfully retrieved. But it would still be a good idea to perform the clean-up step. It will make logs less noisy and key replication more prompt in the case where CA replicas have been removed.
Can you provide more details on what attributes need to be cleaned up?
@rcritten specifically, the server that is being deleted should be removed from the authorityKeyHost attribute of lightweight CA entries under ou=authorities,ou=ca,o=ipaca.
authorityKeyHost
ou=authorities,ou=ca,o=ipaca
Metadata Update from @slaykovsky: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.2 (was: FreeIPA 4.7.1)
FreeIPA 4.7.1 has been released, moving to FreeIPA 4.7.2 milestone
Login to comment on this ticket.