PKI 11.6.0 pkidestroy no longer destroys the entire instance. Run alone it will stop the service but leave the configuration, certificates and keys along with the subsystem directory (e.g. /etc/pki/pki-tomcat/ca).
There is an additional flag to remove logs but up until now we have always left the existing logs in place.
To remove nearly everything:
pkidestroy -s CA --remove-conf --remove-logs
Note that in my testing this does not leave the system in a state where it can be re-installed.
We are going to need to remove a lot more information, including the older NSS database, password file and more manually.
Does this needs to be done separately for each subsystem? E.g. KRA and ACME?
Yes. Fortunately this code is centralized in the DogtagInstance class so this will be a do-once change to come extent. I have identified other files that aren't removed and we may be able to cover that with broad shutil.rmtree calls. The complete set of directories to recursively remove is TBD.
Metadata Update from @rcritten: - Issue assigned to rcritten
So apparently pkidestroy was crashing while uninstalling the CA because ACME was still configured, see https://pagure.io/freeipa/issue/9673
Unconfiguring ACME first resolves the majority of the files issue.
Cleanup of other files is in https://pagure.io/freeipa/c/8293b74eca851981c7b61b6dd6505f4799e3c8ce but is not in Fedora yet.
One additional file, /root/kracert.p12, needs to be removed.
I combined this change and https://pagure.io/freeipa/issue/9673 into one PR for simplicity
https://github.com/freeipa/freeipa/pull/7549
master:
ipa-4-12:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-61636, https://issues.redhat.com/browse/RHEL-61642
Log in to comment on this ticket.